The Trojan in the Living Room: How the Kimwolf Botnet Hijacked 2 Million Android Devices

More than two million infected devices worldwide—this is the scale of the new botnet known as Kimwolf, according to an assessment published by Synthient. The countries reporting the highest number of infections include Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States.

The primary targets have been Android-based TV boxes and digital photo frames, many of which are sold on major online marketplaces under obscure or little-known brands. The spread of the malware has been linked to vulnerabilities in popular residential proxy networks, most notably IPIDEA.

The severity of the threat is defined not only by the speed of infection, but also by the method through which the malware infiltrates home networks. Kimwolf leverages proxy infrastructures, effectively transforming compromised devices into gateways into a user’s internal network.

In many cases, the malicious code is preinstalled by the manufacturer or introduced during the installation of third-party applications marketed as a way to bypass paid video subscriptions. Once activated, the malware converts the device into a proxy node that is rented out to criminals. Through this node, attackers can gain access to every other device on the local network, including those that appear to be isolated from the outside world.

An additional weak link lies in microcomputers lacking built-in security protections, widely used in the mass production of low-cost Android devices. Many ship with Android Debug Bridge (ADB) enabled by default, allowing remote access to system functions without any authentication. Research has shown that a single device with active ADB, combined with an infected smartphone on the same network, is sufficient for the malware to spread to all other vulnerable nodes—from digital photo frames to media players.

Synthient researchers paid particular attention to the relationship between Kimwolf and the major proxy network IPIDEA. According to the company, the botnet relies on IPIDEA’s infrastructure for propagation, restoring its population to nearly two million infected devices within days of each takedown attempt. In response to notifications about the issue, IPIDEA stated that it had addressed the vulnerabilities, including shutting down a testing module that allowed attackers to bypass filtering mechanisms and penetrate local networks.

Kimwolf activity peaked in October and December 2025, during which hundreds of thousands of devices were infected worldwide. Independent research by the Chinese firm XLab confirmed the presence of the botnet across more than 2.7 million IP addresses, though the true number of compromised devices remains difficult to determine due to dynamic IP allocation and time zone differences.

Kimwolf functions as a platform for hosting malicious applications, selling bandwidth, and launching DDoS attacks. Its architecture allows traffic routed through infected devices to be easily obfuscated and redirected toward internal IP addresses, undermining fundamental principles of network isolation. Such attacks can lead not only to the infection of additional devices, but also to the takeover of routers and the modification of DNS settings, enabling complete traffic hijacking.

The situation is further exacerbated by the fact that many users purchase these devices without any awareness of their potential risks. Chinese-made media players and digital photo frames are often marketed as gateways to free content, but in reality become components of global malware networks. Even when reflashing the firmware is possible, it is far from an obvious or accessible solution for most consumers.

Google has previously initiated legal action against the operators of the BadBox 2.0 network, which similarly exploited infected Android devices for fraud and malware distribution. The FBI also issued warnings about mass device infections as early as mid-2025. The underlying problem is that compromise often occurs before the device ever reaches the user—or during its initial setup.

Among the recommended defensive measures are the use of guest Wi-Fi networks, purchasing devices only from reputable manufacturers, and completely avoiding applications from unofficial sources. Yet as infection rates climb and techniques for covert internal network access continue to evolve, even these precautions can no longer guarantee full protection.

Synthient has already published a list of device models most frequently commandeered by Kimwolf. The company emphasizes that the most reliable solution remains the physical removal of suspicious devices from the network. This is not merely advice—under current threat conditions, it represents the bare minimum required to maintain security.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy