FBI Warns of IoT Device Threat: What It Means for Consumers

Key Takeaways:

The FBI issued a June 2025 alert about criminal use of pre-infected Android-based IoT devices.
Devices include TV boxes, tablets, projectors, and infotainment systems repurposed as proxies for illegal activity.
Users should avoid uncertified, low-cost devices and those with third-party app stores or suspicious behavior.

In early June, the FBI released a public service announcement cautioning that certain Android-based Internet of Things (IoT) devices are being compromised before they ever reach consumers. The campaign, known as BADBOX, involves adversaries distributing low-cost gadgets embedded with malware that turns them into part of a global proxy network. Once activated in a home network, these devices can be used by cybercriminals to mask their identity, launder traffic, or carry out illegal activities.

The FBI’s June 5 notice warned consumers that malicious actors are exploiting insecure devices to route harmful activity through the home networks of unsuspecting users. As a result, people may unwittingly find their IP addresses linked to crimes or suspicious behavior, placing them at risk of investigation despite having no direct involvement.

The Electronic Frontier Foundation (EFF) followed up with its own analysis to clarify what consumers should know and do.

What Types of Devices Are at Risk

The devices in question are typically Android-based and sold through third-party retailers or e-commerce sites at steep discounts. These include:

Android TV boxes
Streaming sticks
Projectors with built-in Android OS
Digital photo frames
Low-cost tablets and in-vehicle infotainment units

Some of these devices come preloaded with third-party app stores or promise free access to premium streaming services. These characteristics are among the warning signs highlighted by both the FBI and EFF.

EFF specifically points to boxes similar to the “T95” series, many of which ship with outdated versions of Android (like 9 through 12) and include unknown or unofficial app marketplaces. These app stores often lack any vetting process and are used to inject malware directly into system processes. The devices also frequently ship with Google Play Protect disabled or without Google certification at all.

How to Identify a Potentially Compromised Device

According to the FBI and security researchers, several indicators suggest your device might be part of a larger criminal proxy network:

Device has Google Play Protect turned off or is not Play Protect certified.
Preloaded apps cannot be uninstalled or removed from the system.
Device includes unknown third-party app marketplaces.
Model is generic or the brand lacks a legitimate manufacturer website.
Device is advertised as “unlocked” or “free access to streaming.”
Unexpected or unexplained traffic appears on your network.

You can verify Play Protect certification by checking the device’s settings or visiting Google’s official Play Protect page. Certified devices are listed and comply with baseline security and compatibility standards. Lack of certification means the device could bypass normal safeguards and is more likely to include persistent malware.

EFF also advises checking for unusual network activity, especially if the device is idle. For advanced users, packet monitoring tools can help determine if the device is reaching out to unexpected servers or IP addresses. For most consumers, however, the safest route is to avoid unknown-brand Android products altogether.

What to Do if You’re Impacted

If you’ve already purchased a questionable device, EFF recommends these steps:

Disconnect the device from your network immediately.
Attempt a factory reset and check for firmware updates from a known source (though this may not remove pre-installed malware).
If malware persists, stop using the device or consider physically destroying it to avoid network compromise.
Report the device and where you purchased it to the FBI’s Internet Crime Complaint Center (IC3).
Contact your ISP and consider changing your IP address if your network has been used as a proxy without your knowledge.

For future purchases, consumers are urged to stick with major brands that are certified by Google and avoid devices marketed with vague claims, excessive discounts, or unauthorized access to premium content.

EFF’s final recommendation is to avoid anything that installs apps outside of the Google Play Store or disables standard Android protections.

Conclusion

The BADBOX campaign underscores the risk of trusting unknown brands in the connected device ecosystem. With malware baked into firmware, even savvy users can be exposed. The safest approach is to stick with certified, brand-name devices and stay away from offers that sound too good to be true.

Learn about the latest in IoT at AIOT World Expo, Feb 10-12, 2026 Fort Lauderdale, Florida.

Rich Tehrani serves as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026 and is CEO of RT Advisors and is a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing.