Germany Takes Down BADBOX Malware on 30,000 Devices with Sinkhole Operation

Germany’s Federal Office of Information Security (BSI) has revealed the disruption of a malware campaign known as BADBOX, which was pre-installed on at least 30,000 internet-enabled devices sold nationwide.

In an announcement earlier this week, the BSI confirmed that it had severed communication between the infected devices and their command-and-control (C2) servers by redirecting the domains through a sinkhole. Affected devices include digital picture frames, media players, streaming devices, and potentially smartphones and tablets.

According to the BSI, these devices share a common issue: they run outdated versions of Android and were distributed with pre-installed malware.

BADBOX was initially identified in October 2023 by HUMAN’s Satori Threat Intelligence and Research team. The malware was described as part of a sophisticated scheme that exploited vulnerabilities in the supply chain to install the Triada Android malware on low-cost, off-brand Android devices.

Once connected to the internet, the malware can harvest sensitive data, such as authentication codes, and install additional malicious software. The operation, believed to originate in China, also includes an ad fraud botnet called PEACHPIT. This botnet impersonates legitimate Android and iOS apps, generating fake traffic from BADBOX-infected devices. The fraudulent impressions are then sold through automated advertising systems.

HUMAN’s report highlighted the risks, noting that consumers might unknowingly purchase a BADBOX-infected device, connect it to the internet, and activate the embedded malware without realizing it.

The BSI further explained that compromised devices could serve as residential proxies, enabling other attackers to route their internet traffic through these devices to avoid detection. Additionally, these devices could be used to create accounts on platforms like Gmail and WhatsApp.

To counter the threat, the BSI has directed internet providers with over 100,000 subscribers to reroute traffic from infected devices to the sinkhole. It also advises users to immediately disconnect affected devices from the internet to prevent further exploitation.