Major Malware Operation Disrupted: Germany’s BSI Takes Down BADBOX Threat Affecting 30,000 Devices

Germany Disrupts BADBOX Malware Operation Affecting 30,000 Devices

December 14, 2024 – The Federal Office of Information Security (BSI) in Germany has successfully disrupted a significant malware operation known as BADBOX, which had infiltrated at least 30,000 internet-connected devices nationwide. Authorities announced the operation’s thwarting earlier this week, detailing how the malware was preloaded on various gadgets, including digital picture frames, media players, and even smartphones.

In a proactive move, the BSI severed communications between these compromised devices and their command-and-control (C2) servers by utilizing a method called "sinkholing" to redirect harmful traffic. The BSI noted that all affected devices were operating on outdated versions of Android, making them particularly vulnerable to exploitation.

The BADBOX malware was first uncovered by HUMAN’s Satori Threat Intelligence team in October 2023. It exploits weak links in the supply chain of low-cost, off-brand Android devices. Once online, the malware could harvest sensitive information, including authentication codes, and install additional malicious software.

Adding a layer of complexity, BADBOX is connected to an ad fraud scheme known as PEACHPIT, which creates fake ad impressions through spoofed applications. This operation, reportedly based in China, profits from selling these fraudulent impressions via programmatic advertising.

The BSI has urged internet service providers with over 100,000 subscribers to redirect traffic from these devices to the sinkhole and is advising consumers to disconnect any affected products from the internet immediately. As the threat landscape continues to evolve, this incident highlights the urgent need for consumers to remain vigilant about the devices they purchase and connect to their networks.