If you own an Android TV box from an unknown brand, don’t be surprised if a hacker secretly has access to it. 

The FBI is warning of a malware campaign called “Badbox 2.0” that’s circulating over millions of internet devices, especially TV streaming boxes, digital projectors, and even aftermarket vehicle entertainment systems. 

In a public service alert, the FBI says the affected devices were manufactured in China and secretly backdoored to host malware. This can include installing the malware before the product’s sale or “infecting the device as it downloads required applications that contain backdoors, usually during the setup process,” the agency said. 

The hackers behind the scheme have been using the Badbox malware to create an army of enslaved computers, also known as a botnet. Because the infected devices have access to the internet, the hackers can harness the botnet as a proxy service, creating a launching pad for other cybercriminal activities while the owners of the infected TV boxes remain oblivious. 

“The public is urged to evaluate IoT devices in their home for any indications of compromise and consider disconnecting suspicious devices from their networks,” the FBI’s alert adds. But identifying the affected products isn’t so straightforward. That’s because the threat can occur over a large range of internet-connected devices that come from unrecognizable brands.

In March, cybersecurity firm Human Security helped uncover the BadBox threat, warning it had been circulating on Android-powered TV streaming boxes with “TV98” and “X96” model names. Such products can still be found on Amazon for $30 to $50, promising access to high-quality streaming and mobile apps. 

(Credit: Human Security)

(Credit: Human Security)

“BADBOX 2.0 is the largest botnet of infected connected TV devices ever uncovered,” Human Security added in its own report. Although a large portion of the affected devices were found in Brazil, a significant number have also been detected in the US.  

The FBI’s alert doesn’t include specific product models. But it says users should consider taking action if their internet-connected device hosts “suspicious marketplaces where apps are downloaded.” The same marketplaces could have the ability to download malware that’s been disguised to look like apps from official vendors. Another red flag is if the device requires Google Play Protect settings to be disabled or if it lacks Google Play Protect certification.

The FBI adds: “Avoid downloading apps from unofficial marketplaces advertising free streaming content.” Consumers can also consider swapping out the device for a TV streaming product from a well-known vendor.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan