Germany’s Federal Office of Information Security (BSI) has successfully disrupted a large-scale malware campaign named BADBOX, which infected over 30,000 internet-connected devices preloaded with malicious software.
The BSI, in a statement released earlier this week, revealed that the operation severed communications between the compromised devices and their command-and-control (C2) servers using a sinkhole action—a method that redirects malicious traffic to a controlled server. Impacted devices include digital picture frames, media players, streaming devices, and potentially smartphones and tablets.
Outdated Android and Pre-Installed Malware
“All these devices share one characteristic: they run outdated Android versions and were shipped with pre-installed malware,” the BSI emphasized in its report.
BADBOX: A Supply Chain Threat
BADBOX was first identified in October 2023 by HUMAN's Satori Threat Intelligence and Research Team, which described it as a complex supply chain attack. The malware exploits vulnerabilities in low-cost, off-brand Android devices by embedding the Triada malware during production.
Once connected to the internet, BADBOX:
- Steals sensitive data like authentication codes.
- Installs additional malware.
The malware’s operators, believed to be based in China, also leverage a connected ad fraud botnet named PEACHPIT. This botnet spoofs popular Android and iOS apps to generate fake traffic and fraudulent ad impressions, which are then monetized.
“This complete ad fraud loop allows them to profit off spoofed apps and fake impressions,” HUMAN explained. “Consumers often unknowingly purchase BADBOX devices online, plug them in, and expose themselves to this backdoor malware.”
Acting as Proxies for Cybercriminals
The BSI further warned that BADBOX-infected devices could serve as residential proxy services, enabling cybercriminals to route malicious traffic through unsuspecting users' devices. This technique helps attackers evade detection and facilitates activities such as creating fake Gmail and WhatsApp accounts.
Immediate Action Taken
To mitigate the threat, the BSI instructed all internet providers with more than 100,000 subscribers to redirect malicious traffic to the sinkhole. Additionally, German authorities are urging consumers to:
- Disconnect compromised devices from the internet immediately.
- Monitor for suspicious activity on their networks.
This proactive operation underscores the importance of supply chain security and the risks associated with using devices running outdated software.