The Badbox Botnet Has Infected 10 Million Android TV Boxes

That cheap Android TV box you bought might be working against you. Investigators have traced the operators behind Badbox 2.0, a botnet controlling over 10 million compromised streaming devices, to individuals based in China. According to a Google lawsuit filed in July 2025, these devices are engaged in massive advertising fraud operations while sitting in living rooms around the world.

The infection often begins before consumers even unbox their devices. Malware is pre-installed during manufacturing, meaning the device is compromised from the moment it powers on. The FBI warned in June 2025 that "cyber criminals were gaining unauthorized access to home networks" through these backdoored streaming boxes.

Who Is Behind the Botnet

Security researcher Brian Krebs traced operational control of the botnet to two individuals based in China through analysis of domain registrations, email addresses, and corporate records:

• Chen Daihai was linked to multiple technology companies including Beijing Hong Dake Wang Science & Technology Co Ltd and Beijing Astrolink Wireless Digital Technology Co. Ltd., founded in 2008
• Zhu Zhiyu appears in archived company contact pages alongside Chen and was connected to domain registrations used in the botnet infrastructure
• A third figure, Huang Guilin, held the original admin account created in November 2020, though no corporate affiliation was identified

The investigation revealed a sophisticated operation with roots in the Chinese technology manufacturing sector. The Astrolink company connection suggests the botnet operators may have direct relationships with device manufacturers.

How Devices Get Infected

Badbox uses two primary infection vectors:

• Pre-installed malware: The device arrives from the factory with backdoors already embedded in the firmware. No user action is required for infection
• Malicious app downloads: During device setup, users may download apps from unofficial marketplaces that contain backdoors

The pre-installation vector is particularly concerning because it means even security conscious consumers who avoid suspicious downloads can still end up with compromised devices. The malware operates at a low level, making it difficult or impossible to remove through normal means.

What the Botnet Does

Once active, infected devices serve multiple purposes for the operators:

• Advertising fraud: Devices generate fake ad impressions and clicks, stealing billions from advertisers
• Residential proxy abuse: Your home IP address is used to mask malicious traffic, making it appear to originate from legitimate residential connections
• Command execution: Operators can remotely execute commands on infected devices for various malicious purposes
• Network access: Compromised devices can serve as entry points into home networks

The advertising fraud alone generates substantial revenue. With 10 million devices generating fake impressions, even small amounts per device add up to significant profits. Meanwhile, legitimate advertisers pay for views and clicks that never reach real humans.

The Scale of the Problem

Ten million devices makes Badbox 2.0 one of the largest IoT botnets ever documented. The original Badbox campaign was disrupted in 2024, but the operators quickly rebuilt with even greater scale.

The devices affected are primarily cheap, no-name Android TV boxes sold through online marketplaces. These devices are attractive to consumers because of their low prices and ability to run streaming apps, but the savings come at a hidden cost. Google's lawsuit describes them as "unsanctioned Android streaming devices," meaning they do not meet Google's security requirements for certified Android devices.

How to Protect Yourself

If you have an Android TV box, especially a budget model from an unknown manufacturer:

• Check certification: Certified Android TV devices display the "Play Protect" logo and are listed on Google's partner page
• Monitor network traffic: Use your router to look for unusual outbound connections from the device
• Isolate IoT devices: Place streaming boxes on a separate network segment from your computers and phones
• Consider replacement: If your device is from an unknown manufacturer, the safest option may be to replace it with a certified device

Major brands like Nvidia Shield, Chromecast with Google TV, and Amazon Fire TV go through certification processes that should prevent pre-installed malware. The small premium for a known brand may be worth avoiding the risks of cheaper alternatives.

Why This Keeps Happening

The economics of cheap electronics make these attacks profitable and difficult to stop. Manufacturers competing on price have little incentive to invest in security. Consumers cannot verify device integrity before purchase. And operators based in China face minimal legal consequences for their actions.

Until there are meaningful penalties for manufacturing compromised devices or until consumers demand certified products, botnets like Badbox will continue to grow. Each disrupted operation is quickly replaced by a successor, often larger than the original.

For now, the safest approach is skepticism. That $30 streaming box might be the best deal you have ever found, or it might be 10 million reasons to reconsider.