The Hidden Dangers of Cheap TV Streaming Boxes: Badbox 2.0 Malware Threat

Cheap Android-based TV streaming boxes have become a popular and affordable option for many households, schools, and businesses. However, new research has uncovered a hidden danger lurking within these devices. Over 1 million streaming boxes, tablets, projectors, and even car infotainment systems have been compromised with a new generation of malware, known as Badbox 2.0, turning them into tools for cybercriminals.

A Growing Cybersecurity Threat

According to cybersecurity firm Human Security, these compromised devices are being used for advertising fraud and residential proxy services—allowing scammers to hijack user internet connections to mask illicit activities. The worst part? Most device owners are completely unaware that their streaming boxes are being exploited for cybercrime.

Gavin Reid, Chief Information Security Officer at Human Security, explains, “This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever. The main way cybercriminals monetize these infected devices is by reselling proxy services, using unsuspecting victims’ connections for various fraudulent activities.”

Widespread Impact

The majority of infected devices have been found in South America, especially Brazil. These devices are often generic, low-cost models, not affiliated with major brands. The most affected models include the TV98 and X96 device families, all running modified versions of Android that are not part of Google’s protected ecosystem.

Google has taken action against the ad fraud aspect of the scheme, terminating publisher accounts linked to these scams. A Google spokesperson emphasized that such malicious activities are strictly prohibited on its platforms and that collaboration with security firms like Human Security helps in identifying and neutralizing these threats.

Evolution of the Badbox Campaign

The original Badbox campaign focused on installing backdoored firmware into streaming boxes before they reached consumers. However, Badbox 2.0 has shifted tactics, using software-based malware distributed through drive-by downloads and other deceptive methods.

Cybercriminals are also employing a technique known as “evil twin” apps—where they release a legitimate version of an app on the Google Play Store, only to later trick users into downloading an identical but malicious version from unofficial sources. Researchers have identified at least 24 cases of such fraudulent apps and over 200 compromised versions of mainstream applications.

Who’s Behind Badbox 2.0?

Unlike a single coordinated attack, Badbox 2.0 appears to be the work of multiple loosely connected fraud groups, each using their own malware variants and distribution methods. Security firm Trend Micro, which collaborated on the investigation, believes many of these groups are tied to Chinese gray market advertising firms.

Fyodor Yarochkin, a senior threat researcher at Trend Micro, highlights that “easily up to a million devices are online at any given time, but the number of devices that have been infected at some point likely exceeds a few million.” The investigation has even identified business entities in China connected to Badbox 2.0 through economic and technical links.

What’s Being Done to Stop It?

Human Security, Trend Micro, and Google, in collaboration with internet security group Shadow Server, have attempted to neutralize Badbox 2.0’s botnet by sinkholing its infrastructure. However, given how cybercriminals adapted following the exposure of the original Badbox campaign, it is unlikely that this effort alone will permanently halt their activities.

How to Protect Yourself

To avoid falling victim to these cyber threats, users should follow these precautions:

• Avoid ultra-cheap TV boxes and devices that seem too good to be true.

• Stick to well-known brands that offer security updates and official support.

• Download apps only from the official Google Play Store to minimize the risk of malware infections.

• Regularly update your device’s firmware and software to patch security vulnerabilities.

• Use network monitoring tools to check for unusual traffic from your devices.

As Trend Micro’s Yarochkin warns, “If the device is too cheap to be true, be prepared for some hidden surprises. There is no free cheese unless the cheese is in a mousetrap.”