A supply-chain botnet operation hiding malware inside cheap Android devices before they reach consumers. Confirmed by the FBI, Google, Trend Micro, HUMAN Security, and Shadowserver.
๐ BADBOX is not a traditional influence operation โ it is a hardware-level supply chain attack that turns ordinary consumer devices into criminal infrastructure. It matters for media literacy because the same botnet used for ad fraud is also used for fake account creation, residential proxying to launder malicious traffic, and potentially amplifying inauthentic online behavior at scale.
What BADBOX-Infected Devices Can Do
๐ฅ๏ธ Ad Fraud
Opens hidden browser windows and clicks ads in the background without user knowledge, generating fraudulent revenue for the operators.
๐ Residential Proxy
Sells access to your home IP address to other criminals, who route malicious traffic through your network โ making it look like ordinary residential internet use.
๐ค Fake Accounts
Creates fraudulent accounts on social media, email platforms, and services โ potentially contributing to bot networks and influence operations.
๐ฑ One Time Password Interception
Intercepts one-time passwords sent via SMS, enabling account takeover on platforms like WhatsApp, Facebook, and banking apps.
โฌ๏ธ Silent App Installs
Downloads and installs additional malware or apps in the background without user consent, inflating app install counts and enabling further exploitation.
๐ Malware Delivery
Infected devices can be directed to participate in distributed denial-of-service attacks or serve as distribution nodes for additional malware.
How To Protect Yourself
- Only buy Android TV/streaming devices from established, recognizable brands sold through official retailers.
- Never disable Google Play Protect โ legitimate apps never require this.
- Avoid devices advertised as "unlocked," capable of streaming free content, or running apps from unofficial marketplaces.
- Monitor your home network traffic for unexplained outbound connections. Consider a router with traffic visibility.
- Check that your Android device is Play Protect certified โ uncertified AOSP devices lack Google's security protections.
- If you suspect a device is compromised, disconnect it from your network. Reflashing the firmware may not remove factory-level backdoors.
Who Is Tracking BADBOX?
The Shadowserver Foundation coordinates BADBOX 2.0 sinkholes and publishes infection data. Their dashboard tracks compromised device activity in near-real time by country.
Definitive technical research from the Satori Threat Intelligence team covering BADBOX infrastructure, operators, device models, and fraud mechanisms.
Official FBI warning including indicators of compromise, affected device categories, and mitigation guidance.
Original research exposing the 8.9 million-device Lemon Group operation and Guerrilla malware ecosystem.
The first public report documenting factory-installed malware inside a consumer Android TV box.
Key Findings
Scale
Millions of Android-based devices have been implicated across multiple investigations.
Persistence
The malware is embedded before purchase, making removal difficult.
Global Reach
Affected devices have been identified across dozens of countries.
Timeline
January 2023
T95 TV Box Discovery
Security researcher Daniel Milisic purchased a T95 Android TV box from Amazon for $40 and discovered it came pre-loaded with persistent backdoor malware in the firmware โ before he had ever turned it on or connected it to the internet. Malwarebytes confirmed the finding: the device was phoning home to a command-and-control server and silently joining an ad fraud botnet. The malware was embedded at the factory level, below the operating system, making it nearly impossible to remove by ordinary users.
Malwarebytes analysis โMay 2023
Lemon Group / Guerrilla malware โ 8.9 million devices
Trend Micro researchers, presenting at Black Hat Asia 2023, documented a criminal group called "Lemon Group" that had embedded malware known as "Guerrilla" into approximately 8.9 million Android devices across 180 countries โ including smartphones, smartwatches, TV boxes, and tablets โ spanning over 50 device brands. The malware could silently load additional payloads, intercept one-time passwords from SMS texts, set up reverse proxies from the infected device, and infiltrate WhatsApp sessions. Lemon Group operated it as a commercial service: selling access to infected devices, SMS interception, and ad fraud capacity to other criminal customers.
Trend Micro / Black Hat Asia report โ2023โ2024
BADBOX 1.0 โ first disruption
HUMAN Security's Satori team formally named and documented the operation as "BADBOX" โ a botnet built on backdoored Android Open Source Project (AOSP) devices shipped globally. The German government sinkholed a significant portion of the infrastructure in December 2024, partially disrupting the operation. However, the threat actors adapted quickly.
HUMAN Security Satori report โMarch 2025
BADBOX 2.0 โ 1 million+ devices, four criminal groups
HUMAN Security's Satori team, working with Google, Trend Micro, and Shadowserver, uncovered BADBOX 2.0 โ a major expansion involving at least four distinct criminal groups: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The botnet had infected over 1 million devices globally, concentrated in Brazil (37.6%), the United States (18.2%), Mexico, Argentina, and Colombia, with traffic observed from 222 countries and territories. BADBOX 2.0 added a new infection vector: beyond factory-preinstalled malware, devices could now also be infected by downloading trojanized apps from unofficial app marketplaces. Google removed 24 Play Store apps found to be distributing the malware.
HUMAN Security BADBOX 2.0 report โJune 5, 2025
FBI public warning issued
The FBI's Internet Crime Complaint Center (IC3) issued Public Service Announcement I-060525-PSA, formally warning the U.S. public about BADBOX 2.0. The FBI confirmed the botnet compromises TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames, and other IoT products โ most manufactured in China. The announcement was coordinated with Google, HUMAN Security, Trend Micro, and the Shadowserver Foundation.
FBI IC3 Public Service Announcement โJuly 11, 2025
Google sues 25 Chinese entities โ 10 million devices confirmed
Google filed a federal lawsuit against 25 Chinese entities involved in the BADBOX 2.0 operation, revising the confirmed infection count to over 10 million devices. The lawsuit identified four specialized criminal groups within the operation: an Infrastructure Group managing command-and-control servers; a Backdoor Malware Group pre-installing malware at the factory; an Evil Twin Group creating fake versions of legitimate Google Play apps to serve hidden ads; and an Ad Games Group using fraudulent game apps to generate fraudulent ad revenue. Google updated Play Protect to automatically block BADBOX-related apps.
Google lawsuit coverage (The Hacker News) โ