Cyber Criminals Exploit IoT Devices to Fuel BADBOX 2.0 Botnet, FBI Warns
- 17GEN4
- Jun 8
- 4 min read
Washington, D.C. – Cyber criminals are increasingly targeting Internet of Things (IoT) devices, such as smart TVs, streaming boxes, and digital projectors, to infiltrate home networks and expand the BADBOX 2.0 botnet, a sprawling network of compromised devices used for malicious activities, according to a new Public Service Announcement (PSA) issued by the Federal Bureau of Investigation (FBI) on June 5, 2025. The FBI is urging consumers to assess their IoT devices for signs of compromise and adopt mitigation strategies to protect their networks from this growing threat.
The BADBOX 2.0 botnet, an evolution of the original BADBOX campaign disrupted in 2024, has infected over 1 million devices across 222 countries, with significant concentrations in Brazil, the United States, Mexico, and Argentina. Most affected devices are low-cost, off-brand Android-based products manufactured in China, such as uncertified tablets, connected TV boxes, and digital picture frames. These devices are either preloaded with malware before purchase or infected during setup through malicious apps downloaded from unofficial marketplaces. Once connected to a home network, these compromised devices become part of the botnet, enabling cyber criminals to conduct activities like ad fraud, credential stuffing, and routing malicious traffic through residential proxy networks to mask their operations.
“The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks,” the FBI stated in its PSA. The agency noted that the botnet’s operators often trick users into disabling Google Play Protect settings to install counterfeit apps that mimic legitimate software, further spreading the malware.
Indicators of Compromise
The FBI has outlined several indicators that may signal a device is part of the BADBOX 2.0 botnet. Consumers are advised to monitor their IoT devices for the following red flags:
Presence of suspicious app marketplaces or apps requiring Google Play Protect to be disabled.
Generic TV streaming devices advertised as “unlocked” or offering free premium content.
IoT devices from unrecognizable or uncertified brands, particularly those not Google Play Protect certified.
Unexplained or suspicious internet traffic on home networks.
The FBI emphasized that a single indicator does not confirm malicious activity, but these signs should prompt further scrutiny. For a detailed list of 74 compromised device models, consumers can refer to resources from cybersecurity firms like HUMAN Security.
Mitigation Strategies
To combat the threat, the FBI recommends several proactive steps to secure home networks and prevent devices from joining the BADBOX 2.0 botnet:
Assess and Disconnect Suspicious Devices: Regularly evaluate IoT devices for unusual behavior and disconnect those exhibiting signs of compromise.
Update Software and Firmware: Keep all operating systems, firmware, and software up to date to patch vulnerabilities.
Avoid Unofficial App Sources: Refrain from downloading apps from third-party marketplaces, especially those advertising free streaming content.
Monitor Network Traffic: Use tools to track internet traffic for anomalies, which could indicate botnet activity.
Source Certified Devices: Purchase IoT devices from reputable vendors and ensure they are Google Play Protect certified.
The FBI also encourages reporting suspected compromises to the Internet Crime Complaint Center (IC3) at www.ic3.gov. Specialized cybersecurity tools, such as Bitdefender Mobile Security for Android or NETGEAR Armor, can provide additional protection against botnet infections.
A Persistent Threat
BADBOX 2.0 represents a significant escalation from its predecessor, which was first identified by HUMAN Security’s Satori Threat Intelligence team in 2023. Despite partial disruptions by German authorities in December 2024 and collaborative efforts by HUMAN, Google, Trend Micro, and the Shadowserver Foundation in March 2025, the botnet continues to grow. Researchers warn that the malware, often embedded in non-writable firmware partitions, is nearly impossible to remove, and threat actors, potentially linked to the China-based Lemon Group, are likely to adapt and relaunch operations.
“The disruption efforts led by HUMAN and partners cannot dismantle the supply chain that enables these threat actors to implant the backdoor into devices destined for consumer hands,” HUMAN Security noted, highlighting the challenge of addressing vulnerabilities in the global supply chain.
Broader Implications
The resurgence of BADBOX 2.0 underscores the growing overlap between consumer convenience and cybersecurity risks. As IoT devices become ubiquitous in homes, they offer cyber criminals a stealthy entry point to exploit unsuspecting users. The FBI’s warning serves as a reminder that cybersecurity is not just a corporate concern but a household necessity, particularly as botnets like BADBOX 2.0 enable large-scale fraud and cyberattacks.
Consumers and integrators alike are urged to prioritize device vetting, network monitoring, and education to mitigate these risks. As the FBI continues to investigate and collaborate with private-sector partners, staying vigilant and informed remains critical to safeguarding home networks from this pervasive threat.
For more details on mitigation guidance and to report suspicious activity, visit the FBI’s Internet Crime Complaint Center at www.ic3.gov.[](https://www.ic3.gov/PSA/2025/PSA250605) (http://www.ic3.gov.[](https://www.ic3.gov/PSA/2025/PSA250605))
Sources:
Federal Bureau of Investigation (FBI) Public Service Announcement, Internet Crime Complaint Center (IC3), June 5, 2025.
HUMAN Security, Satori Threat Intelligence and Research Team, March 5, 2025.
BleepingComputer, June 5, 2025.
The Record from Recorded Future News, June 6, 2025.
CEPRO, June 6, 2025.
Help Net Security, June 6, 2025.
BankInfoSecurity, June 7, 2025.
Bitdefender, June 6, 2025.
The420.in, June 7, 2025.
17GEN4 news
ความคิดเห็น