Cyber Security

Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action

Dec 14, 2024Ravie LakshmananBotnet / Ad Fraud

Germany’s Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.

In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets.

“What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware,” the BSI said in a press release.

Cybersecurity

BADBOX was first documented by HUMAN’s Satori Threat Intelligence and Research team in October 2023, describing it as a “complex threat actor scheme” that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links.

Once connected to the internet, the malware embedded into the devices can collect a wide range of data such as authentication codes, and install additional malware.

The operation, assessed to be operating out of China, also comprises an ad fraud botnet called PEACHPIT that’s designed to spoof popular Android and iOS apps and their own fraudulent traffic from the BADBOX-infected devices through the apps. The fake impressions are then sold through programmatic advertising.

“This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps,” HUMAN said at the time. “Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware.”

Cybersecurity

The BSI said that devices compromised by BADBOX are also capable of acting as a residential proxy service, allowing other threat actors to route their internet traffic through them while simultaneously evading detection. They could also be used to create online accounts on Gmail and WhatsApp.

In addition to instructing all internet providers in the country with more than 100,000 subscribers to redirect traffic to the sinkhole, the agency is urging consumers to disconnect affected devices from the internet with immediate effect.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

AI Enhances Northern Lights Classification and Geomagnetic Storm Forecasting
Amazon Great Republic Day Sale 2025: Best Deals on iPhone 16, iPhone 15 and Other Models
BGMI Introduces Mahindra BE 6-Themed Content; Lets Gamers Compete to Win the eSUV
Up Network, DreamSmart Launch Web3 Smart Glasses with Google Gemini
iPhone 17 Pro, iPhone 17 Pro Max Tipped to Debut With Upgraded Telephoto and Selfie Cameras