Executive Summary

Recent open-source intelligence and technical research have confirmed that millions of Android TV streaming boxes—primarily uncertified, off-brand, and low-cost models—are being conscripted into global botnets such as BADBOX 2.0 and Vo1d. These botnets are leveraged for ad fraud, credential stuffing, residential proxy abuse, and other cybercriminal activities. The infection is often present at the factory or delivered via malicious apps from unofficial marketplaces, making detection and remediation challenging for end users and organizations alike. This advisory provides a comprehensive technical analysis of the threat, including the tactics, techniques, and procedures (TTPs) employed by adversaries, a detailed list of affected product versions, exploitation methods, indicators of compromise (IOCs), and actionable mitigation strategies. The report is based exclusively on open-source, scraped, and verified data from leading cybersecurity research and news outlets.

Threat Actor Profile

The primary threat actors behind the current wave of Android TV streaming box botnet infections are organized cybercriminal groups operating out of China and Southeast Asia. The SalesTracker Group is believed to be responsible for the original BADBOX operation and its command-and-control (C2) infrastructure. The MoYu Group developed the BADBOX 2.0 backdoor, orchestrating botnets, click fraud, and residential proxy campaigns. The Lemon Group is connected to residential proxy services and ad fraud campaigns, utilizing Triada-inspired malware. LongTV, a Malaysia-based entity, is responsible for ad fraud via preinstalled apps on connected TV devices. While there is no direct attribution to advanced persistent threat (APT) groups, the infrastructure and operational patterns overlap with known Chinese cybercriminal operations. These actors are financially motivated, focusing on monetization through ad fraud, proxy rental, and credential stuffing, rather than state-sponsored espionage.

Technical Analysis of Malware/TTPs

The technical sophistication of the malware ecosystem targeting Android TV streaming boxes is significant. The infection chain typically begins with either pre-installed malware at the factory or user-initiated installation of malicious applications from unofficial app stores, such as the Blue TV Store, which often replaces the legitimate Google Play store on compromised devices. Once active, the malware establishes persistent C2 communication, often over HTTP/S, with domains such as getgrass[.]io, catmore88[.]com, ipmoyu.com, long.tv, and app-goal.com. The malware deploys a suite of Unix-based network utilities, including Netcat and Tcpdump, enabling network reconnaissance, ARP poisoning, DNS hijacking, and lateral movement within the local network.

A hallmark of these infections is the enrollment of compromised devices into residential proxy networks, such as Grass IO and IPidea, which are then rented out to third parties for activities including ad fraud, credential stuffing, and large-scale web scraping for AI data harvesting. The malware often creates a “secondstage” folder on the device filesystem, which contains additional payloads and scripts for ongoing operations. The use of encrypted or obfuscated communication channels, rapid domain flux, and the deployment of rootkits or privilege escalation exploits further complicate detection and remediation.

The following MITRE ATT&CK techniques are observed in these campaigns: T1071.001 (Application Layer Protocol: Web Protocols), T1041 (Exfiltration Over C2 Channel), T1090 (Proxy), T1557 (Man-in-the-Middle via ARP poisoning and DNS hijacking), T1204 (User Execution), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1608 (Stage Capabilities), T1437 (Application Layer Protocol: Web Protocols for Mobile), and T1407 (Download, Install, and Execute Code).

Exploitation in the Wild

The exploitation lifecycle begins with the distribution of compromised devices through major online retailers, including Amazon, Walmart, BestBuy, Newegg, and eBay, often via third-party sellers. Devices are either infected at the factory or prompt users to install malicious applications during initial setup. Upon connection to the internet, the device immediately establishes outbound connections to C2 and proxy networks, often contacting Chinese servers such as Tencent QQ and enrolling in residential proxy services.

Post-infection, the device may exhibit anomalous network behavior, including unexplained bandwidth consumption, ARP poisoning, DNS hijacking, and intermittent network outages. The device is then used as a relay for malicious traffic, including the generation of fake ad impressions (ad fraud), credential stuffing attacks against online services, and large-scale web scraping for AI data aggregation. The scale of these operations is global, with infections observed in over 220 countries and territories, and the most significant impact reported in Brazil, the United States, Mexico, Argentina, and Colombia.

Victimology and Targeting

The primary victims are home users seeking low-cost or “free” streaming solutions, often unaware of the risks associated with uncertified Android TV boxes. However, the impact extends to digital advertising networks, e-commerce platforms, and any sector that relies on the reputation of residential IP addresses, due to the abuse of these devices as residential proxies. The compromised devices are typically uncertified, off-brand, or low-cost Android Open Source Project (AOSP) devices, not Play Protect certified Android TV OS devices. The following models are confirmed to be targeted and infected by BADBOX 2.0 and related botnets:

TV98, X96Q_Max_P, Q96L2, X96Q2, X96mini, S168, ums512_1h10_Natv, X96_S400, X96mini_RP, TX3mini, HY-001, MX10PRO, X96mini_Plus1, LongTV_GN7501E, Xtv77, NETBOX_B68, X96Q_PR01, AV-M9, ADT-3, OCBN, X96MATE_PLUS, KM1, X96Q_PRO, Projector_T6P, X96QPRO-TM, sp7731e_1h10_native, M8SPROW, TV008, X96Mini_5G, Q96MAX, Orbsmart_TR43, Z6, TVBOX, Smart, KM9PRO, A15, Transpeed, KM7, iSinbox, I96, SMART_TV, Fujicom-SmartTV, MXQ9PRO, MBOX, X96Q, isinbox, Mbox, R11, GameBox, KM6, X96Max_Plus2, TV007, Q9 Stick, SP7731E, H6, X88, X98K, and TXCZ.

Not all devices of a given model are necessarily infected, but infections are confirmed on some devices of each model above. The infection rate is highest among devices that are not Play Protect certified and are distributed through unofficial channels.

Mitigation and Countermeasures

Mitigating the risk posed by infected Android TV streaming boxes requires a multi-layered approach. First, organizations and individuals should avoid purchasing uncertified, off-brand, or low-cost Android TV devices, especially those that prompt the installation of unofficial app stores such as the Blue TV Store. Only devices that are Play Protect certified and sourced from reputable vendors should be considered for deployment in home or enterprise environments.

Network administrators should monitor for outbound connections to known malicious domains and proxy networks, including getgrass[.]io, catmore88[.]com, ipmoyu.com, long.tv, app-goal.com, and Tencent QQ. The presence of Unix network utilities such as Netcat and Tcpdump, or a “secondstage” folder on the device filesystem, should be treated as a high-confidence indicator of compromise.

Network anomalies, such as ARP poisoning, DNS hijacking, or unexplained network outages, may indicate the presence of a compromised device. In such cases, immediate isolation and forensic analysis of the device are recommended. Blocking known C2 domains at the network perimeter and implementing strict egress filtering can further reduce the risk of data exfiltration and proxy abuse.

For organizations, regular asset inventory and device certification checks are essential. Any device found to be uncertified or exhibiting suspicious behavior should be removed from the network and replaced with a certified alternative. End users should be educated about the risks of using uncertified streaming devices and the importance of sourcing hardware from reputable vendors.

References

• HUMAN Security: Satori Threat Intelligence Disruption: BADBOX 2.0

• FBI PSA: Home Internet Connected Devices Facilitate Criminal Activity (June 2025)

• Qianxin Labs: Long Live The Vo1d Botnet (2025)

• KrebsOnSecurity: Is Your Android TV Streaming Box Part of a Botnet? (Nov 2025)

• HelpNetSecurity: Millions of Android devices roped into Badbox 2.0 botnet

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated risk scoring to empower security teams with actionable insights and proactive defense strategies. For further technical details, threat intelligence feeds, or custom monitoring solutions, we are happy to answer questions at ops@rescana.com.