BADBOX 2.0 Found Preinstalled on Android IoT Devices Worldwide

A new series of Android-based malware, BADBOX 2.0, is turning everyday smart devices into a botnet, often before they even reach users’ homes. The FBI has now flagged this malware as a global threat, and recent analysis from Point Wild’s Lat61 Threat Intelligence Team reveals over 1 million devices across 222 countries and territories have already been compromised.

Led by Dr. Zulfikar Ramzan, the Lat61 team traced the infection chain to its core: a native backdoor library named libanl.so, embedded deep within device firmware. The malware is designed to survive factory resets, carry out stealthy operations, and generate profit through hidden ad-click activity.

What makes BADBOX 2.0 especially dangerous is how it spreads. It’s not just pushed through malicious downloads or fake apps. Many of the infected devices come preloaded or pre-installed with the malware straight from the factory. This means users are exposed from the moment they power on a new device.

BADBOX was first identified in October 2023, found in low-cost Android TV boxes that were compromising home networks. In the latest attack as well, most victims are users of low-cost Android-based IoT devices like generic-brand smart TVs, streaming boxes, digital projectors, or tablets, often purchased from online marketplaces and in some cases also available on Amazon. These devices are typically manufactured through unregulated supply chains and shipped worldwide without proper security checks.

Once active, BADBOX 2.0 turns the device into a node in a residential proxy network. These nodes are then sold to criminal groups who use them to hide their tracks during click fraud, credential stuffing, and other types of cyberattacks.

According to Point Wild’s blog post shared with Hackread.com, the key components identified by analysts include:

• libanl.so: A native backdoor that triggers malware modules on boot
• p.jar and q.jar: Java modules responsible for downloading new payloads and maintaining persistence
• com.hs.app: A system-level Android app that loads the backdoor
• catmore88(.)com and ipmoyu(.)com: Command and control (C2) domains used to communicate with infected devices

The malware is capable of operating silently in the background. Victims may only notice symptoms like high CPU usage, overheating, sluggish performance, or unusual internet traffic when the device is idle.

Point Wild’s telemetry shows infections spread across more than 222 countries, with many occurring out of the box. Users don’t need to download anything or click a malicious link. Just plugging in the device is enough to become part of a botnet.

What’s worse, the design allows for persistent access, encrypted communication with remote servers, and revenue generation through invisible ad-click modules, all without the user’s knowledge.

If your device feels sluggish, heats up unexpectedly, or shows signs of unusual internet activity even when idle, it might be infected. Other red flags include Google Play Protect being disabled or missing entirely, unfamiliar apps appearing on their own, or the device being from an off-brand manufacturer without verified firmware. These signs could point to malware like BADBOX 2.0 running silently in the background.

Users should also avoid buying unbranded or ultra-cheap devices from unknown sellers. Stick to manufacturers that offer ongoing firmware support and publish clear security documentation.

Remember, BADBOX 2.0 isn’t just some run-of-the-mill malware. It’s part of a large, coordinated operation that’s quietly turning cheap consumer devices into tools for cybercriminals, renting them out for fraud and other attacks.

The groups behind it are likely based in China, and what makes it especially dangerous is how deeply it’s embedded. Since the malware is often pre-installed during manufacturing, spotting or removing it is far more difficult than dealing with typical infections.