BADBOX 2.0 Android streaming-device botnet
Malware Activity
Summary
Hide ▲
Show ▼
The BADBOX 2.0 botnet is infecting Android streaming devices with malicious apps from unofficial marketplaces, turning them into a residential proxy network used for ad fraud and other abuse. The activity can compromise devices before purchase and is reported at a scale of over ten million devices. That makes consumer TV boxes a major source of covert traffic and a wider botnet risk.
Related Happenings
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
H score26
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
IPTV app lure campaign distributing Massiv Android banking malware
Campaign
H score25
First: 19.03.2026 12:13
Last: 19.03.2026 12:13
Sources 1
About this happening:
A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
IPTV app lure campaign distributing Massiv Android banking malware
CampaignAbout this happening: A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
Timeline
-
24.11.2025 20:44 2 articles · 7mo ago
Superbox devices found relaying traffic through residential proxy network
Technical Analysis UpdateCensys research found Superbox Android TV streaming devices sold at retailers like Best Buy and Walmart contacting Tencent QQ and Grass IO, while also running tools such as Tcpdump and Netcat and showing DNS hijacking and ARP poisoning behavior consistent with relaying user traffic through a residential proxy network.
Show sources
- Is Your Android TV Streaming Box Part of a Botnet? — krebsonsecurity.com — 24.11.2025 20:44
- Is Your Android TV Streaming Box Part of a Botnet? — krebsonsecurity.com — 24.11.2025 20:44