Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.
In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets.
"What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware," the BSI said in a press release.
BADBOX was first documented by HUMAN's Satori Threat Intelligence and Research team in October 2023, describing it as a "complex threat actor scheme" that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links.
Once connected to the internet, the malware embedded into the devices can collect a wide range of data such as authentication codes, and install additional malware.
The operation, assessed to be operating out of China, also comprises an ad fraud botnet called PEACHPIT that's designed to spoof popular Android and iOS apps and their own fraudulent traffic from the BADBOX-infected devices through the apps. The fake impressions are then sold through programmatic advertising.
"This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps," HUMAN said at the time. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware."
The BSI said that devices compromised by BADBOX are also capable of acting as a residential proxy service, allowing other threat actors to route their internet traffic through them while simultaneously evading detection. They could also be used to create online accounts on Gmail and WhatsApp.
In addition to instructing all internet providers in the country with more than 100,000 subscribers to redirect traffic to the sinkhole, the agency is urging consumers to disconnect affected devices from the internet with immediate effect.
Update
Following the publication of the story, a Google spokesperson shared the below statement with The Hacker News -
These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.
Cybersecurity Bitsight, in an analysis published December 17, 2024, said it identified 192,000 BADBOX infected devices, citing telemetry data, with most of them traced back to Yandex 4K QLED TV and T963 Hisense smartphone. The top affected countries are Russia, China, India, Belarus, Brazil, and Ukraine.
"The compromised firmware on the device ensures that, upon booting, it will immediately try to connect to the malicious infrastructure in an attempt to load its backdoor," the company said. "The backdoor itself is capable of downloading secondary payloads that allow further remote module installation without permissions."