If you bought a generic smart home device, especially one manufactured in China, you may want to read this report.
In 2024, almost 900 million smart home devices were sold globally. Many of these devices are not of the highest quality. And while the Trump administration has issued tariffs that impact smart home device imports from China, the demand for these products in the United States is still on the rise.
Now, the FBI has warned that cybercriminals are installing hardware-level malware during the manufacturing process of these smart home devices or tricking users into downloading software-level malware during the installation of the devices. And millions of them are already inside the country and in people’s homes. Let’s dive in.
FBI warns of malware-infected smart home devices
On June 5, the FBI issued a warning regarding a cybercriminal operation that hacks IoT devices, targeting domestic environments. Once infected with malware, these smart home devices connect to the network. They then connect to a larger botnet to run cybercriminal operations.
The malware in question is known as BADBOX 2.0.
The FBI has identified hardware-level malware within smart home devices like smart TVs. This means that cybercriminal groups install the BADBOX 2.0 malware during the manufacturing process or before the shipping process.
Most of the infected devices come from China, the FBI said.
“Cyber criminals gain unauthorized access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames, and other products,” the FBI added.
Another way BADOX 2.0 gains access to smart home devices is when users unpack and install the tech. Through guided instructions, those who buy these generic devices are directed to download apps from websites instead of via official app stores like Google Play and the Apple App Store. This is known as side-loading, which cybersecurity experts continually advise users not to do.
Once the malware reconfigures the smart home device, it can run in total stealth mode without ever raising any suspicion to the victim. You could be watching your favorite program on your smart TV — without a clue that your TV is conducting fraud in the background.
What is the BADBOX Botnet?
The BADBOX Botnet is the largest botnet of infected connected TV devices ever discovered. While the threat has been around since 2023, and law enforcement disrupted a BADBOX campaign in 2024, the malware and botnet are still up and running.
The FBI explains that the cybercriminals who manage and operate this massive botnet, which has the processing power of millions of devices, are renting out the malicious infrastructure to other criminal gangs. These gangs, in turn, conduct criminal activities using the millions of infected devices.
A botnet of this scale is capable of shutting down major websites (including e-commerce or government sites) with DDoS attacks by flooding them with fake traffic. It can also send out millions of phishing emails in a day and distribute other malware.
HUMAN Security’s Satori Threat Intelligence and Research team, who discovered BADBOX 2.0, described it as a complex, China-based operation that compromised off-brand devices. Working with Google, Trend Micro, and other partners, HUMAN Security disrupted the botnet.
The FBI recognized the work of these cybersecurity companies but continues to warn users not to side-load apps and to be on the lookout for suspicious activity at home, such as traffic surges.
Open-source, project-powered, generic devices are cheaper than those produced by major brands. TV streaming devices, cell phones, tablets, digital projectors, aftermarket vehicle infotainment systems, digital picture frames, and other products have all been targeted with the BADBOX 2.0 backdoor.
Here’s what BADBOX 2.0 can do
Satori researchers estimate that BADBOX 2.0 infected more than 1 million consumer devices across 222 countries and territories, up from 74,000 in the original BADBOX.
“The greatest number of infected devices, which consumers cannot fix themselves, are found in Brazil, followed by the US, Mexico, and Argentina,” Satori researchers said.
The botnet has been found to run:
- Programmatic ad fraud (centered on hidden ads and WebViews)
- Click fraud involving low-quality domains
- Residential proxy services (which, in turn, facilitate the following attacks):
- Account takeover (ATO)
- Fake account creation
- DDoS
- Malware distribution
- One-time password (OTP) theft
In the US, the threat of Chinese-made, unverified, generic devices has been in the spotlight for years. The ROUTERS Act, for example, aims to ban and remove all routers from China that pose a threat to national security.
Donald Trump’s tariffs imposed on Chinese-made electronics were expected to minimize the threat of malicious devices by increasing prices by up to 30% for Americans. However, the demand for smart gadgets is still high.
According to a report by Statista, the global shipment total for smart home devices reached around 892 million units in 2024. 270 million of those come from the video entertainment category alone.
Consumer Affairs found that the average US household owns 21 connected devices, covering 13 device categories. The organization also states that 62% of American users have concerns about their device security.
So, what should you do?
First, if you have already bought a generic, cheap smart home device, such as a smart TV, check the manufacturer and check your internet traffic. Is it slower than usual? Is it consuming more data? And is the hardware running hot? If the answer is yes to any of these questions, we recommend that you unplug it and have it checked by a professional.
The same advice applies if you bought a device that came with unique instructions directing you to download an app from a website instead of from an official app store.
Many of these devices, as mentioned, are advertised with promises of free streaming services or the ability to bypass paid content providers. These are clear red flags. Users should stay away from them.
When shopping for a new smart home device, always stick with respected brands. Not all respected brands are expensive, and most technology companies with good reputations offer price-accessible options to cater to all types of consumers.
Final thoughts
As the Satari threat research team says, the most challenging aspect of BADBOX 2.0 is that it is extremely challenging for consumers to realize that their smart home device is running malicious hacks.
BADBOX malware runs in the background, out of sight, and silently. The best defense is to stay away from side-loading and avoid generic devices that are remarkably cheaper than comparable products.
