Latest news with #BADBOX2.0
Digital Trends
08-06-2025
- Digital Trends
Check your gadgets: FBI warns millions of streaming devices infected by malware
The FBI issued a public warning last week about a massive cybercrime operation exploiting everyday internet-connected devices. The botnet, dubbed BADBOX 2.0, has quietly infiltrated millions of TV streaming boxes, digital projectors, tablets, car infotainment systems, and other smart gadgets commonly found in homes across the U.S. What BADBOX 2.0 actually does Once compromised, these devices don't just underperform or crash, they secretly enlist your home internet connection into a residential proxy network. That means cybercriminals can hide behind your IP address to commit crimes like ad fraud, data scraping, and more. All of it happens behind the scenes, without the victim's knowledge. Recommended Videos 'This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,' said Gavin Reid, chief information security officer at cybersecurity firm Human Security, in an interview with Wired. What devices are affected? According to the FBI, BADBOX 2.0 has infected: TV streaming boxes Digital projectors Aftermarket vehicle infotainment systems Digital picture frames Most of these devices are manufactured in China and marketed under generic or unrecognizable brand names. Security researchers estimate at least 1 million active infections globally, with the botnet potentially encompassing several million devices overall. The worst offenders belong to the 'TV98' and 'X96' families of Android-based devices, both of which are currently available for purchase on Amazon. In the example below, one of the potentially problematic devices is advertised as 'Amazon's Choice.' How the infections happens There are two primary sources for infection: Pre-installed malware: Some devices arrive already compromised, having been tampered with before reaching store shelves. Malicious app installs: During setup, users are often prompted to install apps from unofficial marketplaces, where malware-laced software opens backdoors. This marks an evolution from the original BADBOX campaign, which relied primarily on firmware-level infections. The new version is more nimble, using software tricks and fake apps to broaden its reach. How to tell is your device is infected Here are the red flags to watch for: The device asks you to disable Google Play Protect It comes from an unfamiliar or no-name brand It's advertised as 'unlocked' or able to stream free content It directs you to download apps from unofficial app stores You notice unexplained internet traffic on your home network How to protect your home network To stay safe, the FBI recommends the following precautions: Avoid unofficial app stores . Stick to the Google Play Store or Apple's App Store. . Stick to the Google Play Store or Apple's App Store. Don't chase suspicious bargains . Extremely inexpensive, unbranded gadgets are often too good to be true. . Extremely inexpensive, unbranded gadgets are often too good to be true. Monitor your network . Keep an eye on unusual internet usage patterns or devices that you don't recognize. . Keep an eye on unusual internet usage patterns or devices that you don't recognize. Stay updated. Regularly update your devices and router with the latest firmware and security patches. If you suspect a device on your network may be infected, disconnect it immediately and consider filing a report with the FBI at Be skeptical of bargain gadgets If seems too good to be true, it probably is. Fyodor Yarochkin, a senior threat research at Trend Micro said it best, 'There is no free cheese unless the cheese is in a mousetrap.'
Yahoo
06-06-2025
- Yahoo
BADBOX 2.0 Botnet alert: FBI warns smart TVs, digital device may have exploit
The Brief Cyber criminals are exploiting IoT devices in homes to create a botnet called BADBOX 2.0, enabling illegal online activities. Most compromised devices are manufactured in China and become infected either pre-loaded with malware or during app downloads containing hidden backdoors. The FBI advises the public to assess and disconnect suspicious IoT devices, avoid unofficial app sources, and report potential victimization to the Internet Crime Complaint Center. WASHINGTON - The Federal Bureau of Investigation issued a public alert on Thursday, cautioning Americans about cyber criminals who are exploiting internet-connected devices in homes to conduct illegal activities through a network known as the BADBOX 2.0 botnet. What we know According to the FBI, criminals are gaining unauthorized access to home networks by targeting Internet of Things (IoT) devices such as TV streaming boxes, digital projectors, digital picture frames, and aftermarket vehicle infotainment systems. Most of these compromised devices are manufactured in China and are either pre-loaded with malicious software or become infected during setup when users download apps containing hidden backdoors. Dig deeper Once compromised, these devices become part of BADBOX 2.0—a botnet comprising millions of infected systems used to access residential proxy services, often without the knowledge of consumers. The FBI noted that BADBOX 2.0 is the successor to the original BADBOX campaign, which was disrupted in 2024 after being discovered in 2023. The initial version primarily targeted Android devices compromised with backdoor malware prior to purchase. The updated campaign now also infects devices via unofficial app marketplaces. Why you should care Cyber criminals utilize these infected devices to sell or offer free access to compromised home networks, enabling a wide range of illegal online activities. The FBI listed several signs that may indicate a device is compromised, including the presence of unofficial app marketplaces, devices requiring Google Play Protect to be disabled, streaming devices advertised as "unlocked" or able to access free content, unknown or unverified device brands, Android devices that are not Play Protect certified, and unexplained or suspicious internet traffic. What you can do The FBI is urging the public to assess all IoT devices connected to their home networks and consider disconnecting any device that appears suspicious. Officials also advise consumers to avoid downloading apps from unofficial sources, keep software updated, monitor network activity, and prioritize patching any known vulnerabilities. The agency acknowledged contributions from Google, Human Security, Trend Micro, and the Shadowserver Foundation in preparing the alert. Anyone who believes they may have been a victim is urged to file a report with the FBI's Internet Crime Complaint Center at The Source The details in this article were provided by the FBI.
Forbes
17-04-2025
- Business
- Forbes
Apollo Exposed: What 400M Fake Ad Requests Reveal About Fraud
Audio advertising is booming. With programmatic audio spend projected to surpass $2 billion in 2025, it's become one of the most promising—and vulnerable—channels in digital media. Where innovation leads, cybercrime follows. And the recent Apollo operation uncovered by HUMAN and The Trade Desk is a case study in just how sophisticated, and damaging, that fraud can be. At its peak, Apollo accounted for 400 million fraudulent bid requests per day, making it the largest audio-related ad fraud scheme ever detected. But what makes Apollo especially troubling isn't just the scale—it's how convincingly it mimicked legitimate traffic, exploited supply chain blind spots, and leveraged malware-infected CTV devices to obscure its origin. I spoke with Will Herbig, senior director for AdTech Fraud Research & Strategic Customer Analytics at HUMAN, about the research. He explained that Apollo preyed on a fundamental weakness in server-side ad insertion, the technology used to serve seamless audio and video ads without interrupting user experience. With SSAI, advertisers receive limited telemetry—often just a user-agent string and an IP address—making it an ideal environment for spoofing. Fraudsters behind Apollo reverse-engineered the ad request flows of legitimate apps, replicating their formats to impersonate real audio ad inventory. They even spoofed apps that shouldn't have been serving audio at all. 'One of the things that sparked this investigation was the question of, why are puzzle apps serving audio ads?' Herbig told me. 'At least in my experience, it's uncommon that a puzzle app or something like that is going to serve an audio ad.' It was a subtle anomaly—but it set off a cascade of deeper analysis that ultimately exposed Apollo's intricate fabrication tactics. Apollo's traffic wasn't generated by infected devices in the traditional sense. Instead, bid requests were fabricated wholesale—generated by script, spoofed to resemble real devices, and funneled through residential proxies to mask their true data center origins. Herbig emphasized that the scale Apollo operated at generated traffic equivalent to a the traffic of a mid-sized city like Stamford, Connecticut. That scale was achieved in part thanks to BADBOX 2.0, a botnet of over a million compromised connected TV devices. Apollo traffickers leveraged BADBOX to route requests through residential IPs, making the traffic appear legitimate and difficult to trace. HUMAN had previously disrupted BADBOX, but its infrastructure was clearly still being exploited. By layering spoofed app identities, forged device configurations, and residential proxy evasion, Apollo's operators built a fraud operation that slipped through many traditional defenses. The real damage, however, was in how Apollo exploited programmatic advertising's fragmented supply chain. Many platforms only validate the final seller in a transaction—a check that Apollo often passed. But those 'authorized' sellers were frequently several layers removed from the spoofed origin. 'There can be non-compliance in earlier parts of the supply chain, and then as you get to later parts, things look valid,' Herbig said. 'Many implementations of these supply chain standards are only checking the last place that came from, so everything that happened before that is kind of out of scope.' This phenomenon—what HUMAN refers to as 'supply chain convergence'—allows spoofed inventory to piggyback on authorized reseller pathways, creating a false sense of legitimacy. It's a loophole that remains dangerously under-policed in today's real-time bidding ecosystem. HUMAN didn't just uncover Apollo—they helped dismantle it. Leveraging a predictive pre-bid scoring engine and an aggressive response strategy, the company saw a 99% reduction in Apollo-associated traffic across its platform. 'We are effectively demonetizing this supply,' Herbig said. 'By reducing the amount of bids that this inventory is getting… we're making it harder and harder for fraudsters to profit.' The broader goal, Herbig explained, is to make ad fraud uneconomical at scale. Each operation disrupted increases the operational cost for cybercriminals. Every layer of complexity—whether it's a disrupted proxy network, stricter supply chain checks, or tighter SDK enforcement—raises the barrier to entry. One of the strongest weapons against operations like Apollo isn't just technology—it's collaboration. HUMAN has leaned heavily into this strategy through its Human Collective, a multi-stakeholder initiative aimed at threat sharing and collective protection. According to Herbig, 'One of the great things we're doing is threat sharing. When we are observing concentrations of IBT, we are discussing that with the Human Collective, and we're using it as a forum for collaboration and a forum for discussion.' By sharing intelligence, surfacing patterns, and coordinating responses, HUMAN and its partners are creating a ripple effect across the programmatic ecosystem. The goal isn't to eliminate fraud entirely—it's to tip the cost-benefit equation against the fraudsters. As Herbig put it, 'We're trying to disrupt the economics of cybercrime… to the point that it becomes not worth it.' Apollo is a milestone—not just in the scope of audio ad fraud, but in how the industry responds to it. The findings call for stronger adoption of third-party verification tools like the Open Measurement SDK, more rigorous end-to-end supply path validation, and above all, tighter industry-wide collaboration. Audio may be one of the newest frontiers in ad fraud, but it doesn't have to be the most vulnerable. With vigilance, transparency, and cooperation, the industry has a fighting chance to turn down the noise and restore trust in programmatic audio.
