Germany’s Federal Office for Information Security (BSI) announced the disruption of the BADBOX malware operation, which was preinstalled on at least 30,000 internet-enabled devices sold across the country.
Authorities announced earlier this week that they had disrupted malicious activities by severing the communication links between compromised devices and their command-and-control (C2) servers through domain sinkholing. Devices such as digital image frames, media players, and streamers, along with specific smartphones and tablets, have been impacted.
According to the UK’s National Cyber Security Centre, what many low-cost smartphones share in common is that they initially came with outdated Android operating systems and were shipped with malicious software pre-installed.
In October 2023, HUMAN’s Satori Risk Intelligence and Analysis group published its findings on BADBOX, labeling it an “advanced menace actor scheme”. This nefarious operation involves deploying the Triada Android malware on budget-friendly, non-branded Android devices by exploiting vulnerable supply chain links.
As devices interact with the internet, embedded malware can gather various forms of information, such as authentication codes, and deploy additional malicious software.
The operation, believed to be operated out of China, comprises an advert fraud botnet known as PEACHPIT, which is designed to mimic popular Android and iOS apps, thereby generating fake traffic from devices infected with the BADBOX malware through those very same apps. Programmatic advertising purchases pretentious impressions.
“This elaborate scheme of advert fraud has enabled them to generate wealth through fake advert impressions on their own fraudulent, spoofed apps,” HUMAN declared at the time. “Inadvertently, consumers may procure a fake BADBOX system online, unaware of the potential risks, simply plug it in, and unwittingly grant access to malicious software.”
According to the BSI, devices compromised by BADBOX can also operate as residential proxy services, enabling other malicious actors to route their internet traffic through these compromised systems while simultaneously evading detection and surveillance. They are often used in emails on Gmail and messaging apps on WhatsApp.
The company is instructing all web suppliers nationwide serving more than 100,000 subscribers to redirect users to a designated sinkhole, while also advising customers to immediately disconnect impacted devices from the internet.
