Germany’s Federal Office for Information Security (BSI) has announced that it has foiled a malware operation called BADBOX that was pre-installed on at least 30,000 internet-connected devices sold across the country.
In a statement released earlier this week, authorities said they had severed communications between the devices and their command-and-control (C2) servers by seizing the relevant domains. Affected devices include digital photo frames, media players and streamers, and likely phones and tablets.
“What all these devices have in common is that they have outdated versions of Android and come with malware pre-installed,” the BSI said. said in a press release.
BADBOX was documented for the first time the HUMAN Satori Threat Intelligence and Research team in October 2023. described it as a “sophisticated threat actor scheme” involving the deployment of Triada Android malware on low-cost, third-party Android devices by exploiting weak links in the supply chain.
Once connected to the Internet, malware embedded in devices can collect a wide range of data, such as authentication codes, and install additional malware.
The operation, believed to be run from China, also includes an ad fraud botnet called PEACHPIT, which is designed to spoof popular Android and iOS apps and their own fraudulent traffic from BADBOX-infected devices through the apps. The fake impressions are then sold through programmatic advertising.
“This full cycle of ad fraud means they’ve been making money off fake ad impressions on their own fraudulent, fake apps,” HUMAN said at the time. “Anyone can accidentally purchase a BADBOX device online without even knowing it’s a fake, plugging it in, and unknowingly opening this backdoor malware.”
The BSI said the devices compromised by BADBOX are also capable of acting as a residential proxy service, allowing other threat actors to route their internet traffic through them while avoiding detection. You could also get used to them create online accounts on Gmail and WhatsApp.
In addition to instructing all ISPs in the country with more than 100,000 subscribers to redirect traffic to the funnel, the agency is urging consumers to immediately disconnect affected devices from the Internet.
