BADBOX 2.0

BadBox 2.0 is an Android malware campaign and botnet, also described as a backdoor/fraud scheme, that primarily affects low-cost, often non-Play-Protect-certified Android consumer devices. Reported targets include TV streaming boxes, Android TV boxes, digital projectors, tablets, smartphones, smart devices, and aftermarket vehicle entertainment systems, with many affected devices described as manufactured in China and sold through online stores, electronics retailers, and other distribution channels. Multiple sources state the malware is frequently preinstalled during the supply chain or manufacturing process before the user powers on the device, though some infections may also occur during setup via malicious app downloads, suspicious websites, or unofficial app marketplaces.

The malware operates with elevated or root-level privileges and is described as extremely difficult or practically impossible for users to remove when embedded in firmware. One reported BADBOX variant was embedded in a malicious native library, librescache.so, loaded by the Android system framework; Kaspersky reported this caused a copy of the Trojan to infiltrate every running process on the device. The campaign has also been associated with the Triada Trojan lineage, and some reporting states Triada was detected on Badbox-infected devices.

Documented capabilities include silently installing additional applications or modules, remote execution of additional modules, collecting data, displaying or clicking ads for ad fraud, spying on users, and enrolling devices into a broader botnet. BadBox 2.0 has been repeatedly described as functioning both as an ad fraud engine and as a residential proxy network, allowing compromised devices to relay traffic for other criminal activity. Reported monetization and downstream abuse include advertising fraud, phishing, denial-of-service activity, bandwidth resale, and use of infected devices as proxy infrastructure. Some reporting also notes that infected devices may appear to function normally while malicious activity occurs in the background.

The campaign has been described at very large scale. Google stated in a July 2025 lawsuit that operators of the BadBox 2.0 enterprise had compromised over 10 million Android devices. The FBI warned that millions of internet-connected devices were infected. Other reporting cited around 200 Android device models affected in one case, mostly cheap TV set-top boxes under various brands, with some tablets and smartphones also impacted, including devices purchased for schools. Human Security described BadBox 2.0 as the largest botnet of infected connected TV devices uncovered, and reporting noted significant impact in Brazil and the United States. The Estonian Information System Authority reportedly detected more than 7,000 infected devices in Estonia, and Ireland and Finland also reported BADBOX-related activity or warnings.

BadBox 2.0 is closely associated in the reporting with the Vo1d ecosystem, and some disrupted infrastructure was linked to related proxy and ad-fraud operations. Google, HUMAN Security, and Trend Micro were reported to have disrupted BadBox 2.0 in July 2025, and Google filed suit against alleged operators described as being in China. High-confidence indicators and artifacts directly mentioned in the content include the malicious library librescache.so, affected device/model references such as TV98 and X96, and repeated association with cheap Android TV boxes lacking Google Play Protect certification.