BadBox Malware: What You Need to Know

A knowledge base article about BadBox Malware: What You Need to Know provided by the UC Berkeley IT Service Hub - Knowledge Portal

What is BadBox?

BadBox is malware (malicious software) that mostly infects cheap, off-brand Android streaming devices and TV boxes. Unlike typical computer viruses that spread through downloads or suspicious links, BadBox comes pre-installed on these devices straight from the factory.

Once on your network, BadBox quietly performs criminal activities in the background, including:

Stealing your personal data
Routing malicious internet traffic through your device
Committing advertising fraud
Building networks of infected devices (called "botnets")

All of this happens while you're just trying to watch your shows.

How Did My Device Get Infected?

If you purchased a budget-friendly streaming box from an online marketplace, especially one with an unfamiliar brand name, it likely arrived already infected.

Commonly affected devices include:

Cheap Android TV boxes sold on Amazon, eBay, or other online marketplaces
Generic streaming boxes with unclear brand names
Devices marketed as "all-in-one" solutions at suspiciously low prices

Cybercriminals intentionally sell these pre-compromised devices to build large networks of infected electronics they can control remotely.

Why Can't I Just Remove It?

BadBox is different from standard viruses because it's baked directly into the device's core system software (firmware). This means:

Factory resets won't work – The malware will come back
Uninstalling apps won't help – It's not an app; it's part of the system
Antivirus software can't remove it – There's no user-level fix

Since the infection can't be safely removed, the device cannot be trusted on any network.

What Should I Do?

Immediate Steps:

1. Locate the infected device: Find the streaming box or Android TV device you suspect is infected

2. Disconnect it: Unplug it from power and remove it from your network

3. Don't reconnect it anywhere: Not to a friend's Wi-Fi, your phone's hotspot, or any other network

Going Forward:

If you need a streaming device, purchase one from a reputable manufacturer that actively maintains security updates:

Apple TV
Roku
Google Chromecast
Amazon Fire TV

These companies regularly patch security vulnerabilities and take device safety seriously.

More Information

Krebs on Security: Is Your Android TV Streaming Box Part of a Botnet? https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
FBI Cyber Alert: Home Internet-Connected Devices Facilitate Criminal Activity https://www.fbi.gov/investigate/cyber/alerts/2025/home-internet-connected-devices-facilitate-criminal-activity
National Cyber Security Centre: Android BadBox 2.0 https://www.ncsc.gov.ie/pdfs/AndroidBadbox2-0.pdf