Off-brand IoT devices are still vulnerable to BadBox botnet, FBI says

A stubborn malware campaign has now infected millions of connected devices worldwide, and the resulting botnet is being exploited for criminal activity, according to the FBI.

BadBox 2.0 targets internet of things (IoT) hardware such as “TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products,” the bureau’s Internet Crime Complaint Center (IC3) said in an alert this week.

The malware can come pre-installed in off-brand or aftermarket devices, or arrive alongside software updates from sketchy sources, the bureau said. It’s essentially a continuation of the BadBox campaign stifled by German law enforcement in December.  

Analysts at cybersecurity company HUMAN warned about BadBox 2.0 in March, saying at the time that it had infected at least 1 million Android devices, typically manufactured and shipped from China. The original BadBox campaign was only credited with tens of thousands of infections.

The botnet allows cybercriminals to mask their activity by making it appear to come from legitimate home networks, also known as residential proxies. In some cases the operators sell access to the botnet to other cybercriminals, the alert said.

“The public is urged to evaluate IoT devices in their home for any indications of compromise and consider disconnecting suspicious devices from their networks,” the FBI said.

The alert said customers should be wary of using Android devices that come from unfamiliar sources, are sold as unlocked or advertised as providing free content. Signs of compromise include the presence of suspicious app marketplaces and requests to disable Google Play Protect security features.

Cybersecurity experts also recommend updating the firmware on IoT devices whenever possible.