1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

WIRED

05-03-2025

Lily Hay Newman Matt Burgess Mar 5, 2025 6:00 AM New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime. PHOTO-ILLUSTRATION: WIRED STAFF; GETTY IMAGES
Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they're used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that's broader in scope and even more sneaky.
At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.
'This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,' Gavin Reid, Human's chief information security officer, tells WIRED. 'Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.'
The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren't produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the 'TV98' and 'X96' device families. Virtually all of the targeted devices are designed using Android's open source operating system code, meaning they run versions of Android but aren't part of Google's ecosystem of protected devices.
Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google's advertising ecosystem.
'Malicious attacks like the one described in this report are expressly prohibited on our platforms,' Google spokesperson Nate Funkhouser told WIRED in a statement. 'Bad actors' tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.'
In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.
Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.
The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it's been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such 'evil twin' apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.
'We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,' says Lindsay Kaye, Human's vice president of threat intelligence. 'So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.'
Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.
'The scale of the operation is huge,' says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are 'easily up to a million devices online' for any of the groups, 'This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.'
Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed 'silent' plugins on devices and used them for a diverse array of seemingly fraudulent activity.
'The companies that basically survived that age of 2015 were the companies who adapted,' Yarochkin says. He notes that his investigations have now identified multiple 'business entities' in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. 'We identified their addresses, we've seen some pictures of their offices, they have accounts of some employees on LinkedIn,' he says.
Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it's unlikely that exposing Badbox 2.0 will permanently end the activity.
'As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,' Trend Micro's Yarochkin says. 'There is no free cheese unless the cheese is in a mousetrap.'