Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.
At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.
“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don’t know that they’re a proxy, they never agreed to be a proxy service, but they’re being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”
