Germany’s Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.
In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets.
“What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware,” the BSI said in a press release.
BADBOX was first documented by HUMAN’s Satori Threat Intelligence and Research team in October 2023, describing it as a “complex threat actor scheme” that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links.
Once connected to the internet, the malware embedded into the devices can collect a wide range of data such as authentication codes, and install additional malware.
The operation, assessed to be operating out of China, also comprises an ad fraud botnet called PEACHPIT that’s designed to spoof popular Android and iOS apps and their own fraudulent traffic from the BADBOX-infected devices through the apps. The fake impressions are then sold through programmatic advertising.
“This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps,” HUMAN said at the time. “Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware.”
The BSI said that devices compromised by BADBOX are also capable of acting as a residential proxy service, allowing other threat actors to route their internet traffic through them while simultaneously evading detection. They could also be used to create online accounts on Gmail and WhatsApp.
In addition to instructing all internet providers in the country with more than 100,000 subscribers to redirect traffic to the sinkhole, the agency is urging consumers to disconnect affected devices from the internet with immediate effect.
