The FBI, Google and security researchers warned users that smart TV boxes and Android-based media players at home could turn into cybercrime networks. Google, BADBOX 2.0 operation More than 10 million uncertified Android-based devices affected by the malicious proxy network called NetNut. at least 2 million consumer devices announced his involvement. This situation concerns not only corporate networks, but also users who plug in their television boxes at home and forget about them.
The BADBOX 2.0 threat appears especially in uncertified Android Open Source Project-based TV boxes, projectors, digital photo frames and in-car infotainment systems. The FBI states that cybercriminals gain unauthorized access to home networks through these devices and turn the devices into part of a botnet or residential proxy network. Google, on the other hand, states that criminals installed malware on some devices before purchase, and that some devices were infected with fake or malicious applications downloaded during installation.
At this point, the risk is not just a strange image appearing on your television screen. The hijacked device can use your internet connection as an outlet for other attacks in the background. In such a case, criminals can use your home IP address for ad fraud, fake account creation, credential theft, password hashes or DDoS attacks. Frankly, most of the time the user does not notice this traffic because the device normally continues to play movies and TV series.
For a quick check at home, you first need to check whether your device has the Google Play Protect certificate. If you cannot see Play Protect information in the settings menu, if the device allows the installation of APKs from unknown app stores, or if you are using an unbranded box sold with the promise of “free unlimited streaming”, you should take the risk more seriously. Kaspersky also recommends uninstalling applications such as alternative application stores, “Wi-Fi booster” and “system cleaner”, updating all devices including the router, and monitoring the connections made by the TV box.
Uncertified Android TV boxes are in the main risk group
Google’s statement shows that the threat is concentrated in Android-based low-cost media boxes, rather than the classic smart TV platforms of large manufacturers such as Samsung, LG or Sony. HUMAN Security also describes BADBOX 2.0 as one of the largest botnet operations ever targeting connected TV devices. Researchers state that this operation is an enlarged and changed version of the BADBOX campaign that emerged in 2023.
That’s why Google not only took technical precautions, but also initiated legal proceedings against those it claimed were managing the BADBOX 2.0 infrastructure. The company emphasizes that it tries to block harmful applications by updating Google Play Protect protections and that uncertified Android devices are deprived of these layers of protection. This distinction is important because from the outside, both TV boxes may offer an Android interface, but the security chain of one is verified by Google, while the other leaves the user entirely up to the firmware and the vendor’s intent.
On the NetNut side, the table opens to a different door. Google Threat Intelligence Group found that the NetNut proxy network is being used extensively by cybercriminals to disguise the source of malicious traffic, using suspicious NetNut exit nodes in just one week in June 2026. 316 distinct threat actor clusters He explained what he saw. KrebsOnSecurity also associates this network with residential proxy services and states that hijacked devices can carry other people’s internet traffic without the user noticing.
The most practical step for home users is not to be limited to restarting the TV box and router. Check for device software updates, uninstall unknown apps, turn off remote access and developer options, change default passwords, and look in the router interface to see if the TV box keeps making connections to unfamiliar countries or servers you don’t recognize. If the device is very cheap, does not offer brand support, does not receive updates, or does not display Play Protect certification, it is safer to remove it from the home network.
Long story short, smart TV boxes are no longer just a living room entertainment device. When you connect the wrong device to the home network, you can turn it into the silent infrastructure of cybercriminals. Even if you don’t see any problems with your TV, it would be appropriate to check the device list, installed applications and network traffic today. Especially those who use unbranded Android TV boxes should take this warning into consideration without delay.