Off-brand Android devices shipped BADBOX

BADBOX is a device supply-chain problem, not just another malicious app. HUMAN described off-brand, uncertified Android Open Source Project devices that arrived backdoored and joined fraud infrastructure once powered on.

BADBOX 2.0 expanded the operation. HUMAN, Google, Trend Micro, Shadowserver, and other partners found more than one million infected devices across connected TVs, TV boxes, tablets, projectors, and other AOSP products. Google later described the affected hardware as uncertified AOSP devices, not Android TV OS or Play Protect certified devices.

The monetization was industrial. The devices were used for ad fraud, click fraud, proxyjacking, and botnet services. HUMAN also found parallel delivery through infected apps from unofficial stores, so this record tracks only the preinfected device path and leaves app-only infections out of scope.

Vo1d is related in shape but weaker as a supply-chain record. Dr.Web found it in system storage on many Android TV boxes, but public reporting leaves the infection vector open: exploitation, unofficial firmware, or another path. BADBOX has clearer preinfection evidence and is the canonical record here.

Motive

Ad Fraud Proxy

Attribution

Group

Cause

Firmware Supply Chain Compromise

Transitive

No

Actor

BADBOX operators

User Impact

1000000

• HUMAN Exposes BADBOX 2.0 Scheme Infecting 1 Million Off-Brand Android Open Source Project Deviceshumansecurity.com
• BADBOX 2.0: The sequel no one wantedhumansecurity.com