Germany’s Federal Office of Information Security (BSI) has successfully disrupted a large-scale malware operation known as BADBOX, which affected at least 30,000 internet-enabled devices sold across the country. This operation targeted outdated Android devices, including digital picture frames, media players, streamers, as well as potentially smartphones and tablets.

Key Breakthrough: Sinkholing**

The BSI announced that it had interrupted the communication between the compromised devices and their command-and-control (C2) servers by deploying a strategic sinkholing technique. This intervention effectively isolated the affected devices from the malware’s network, which originated from manipulated domains.

About BADBOX

Initially identified by HUMAN's Satori Threat Intelligence and Research in October 2023, BADBOX represents a significant threat actor. The operation exploited vulnerabilities in the supply chain of budget Android devices to pre-install Triada malware. Once the malware-connected devices went online, they were capable of harvesting extensive data, including authentication details, and could download additional malicious software.

Malicious Network and Fraudulent Activity

BADBOX is operated from China and comprises an ad fraud network known as PEACHPIT. This botnet mimics legitimate Android and iOS applications, generating fraudulent traffic from infected devices and selling fake ad impressions through programmatic advertising channels. According to HUMAN, these actions facilitated substantial revenue generation from spoofed apps.

Secondary Threats and Recommendations

The BSI highlighted that BADBOX-infected devices can function as residential proxies, allowing other cybercriminals to divert traffic through them undetected and potentially create online accounts on platforms like Gmail and WhatsApp. The agency has instructed major internet providers to reroute traffic of affected users to a secure sinkhole and advised consumers to immediately disconnect any suspicious devices from the internet to prevent potential breaches.

The link has been copied!