Summary: Germany’s cybersecurity agency has reported that over 30,000 internet-connected devices were found to be infected with pre-installed BadBox malware, primarily targeting Android devices. The agency has implemented measures to block communication between these devices and the attackers’ control servers, but risks remain for devices with outdated software.

Threat Actor: BadBox Operators | BadBox Operators
Victim: Internet-Connected Devices in Germany | Internet-Connected Devices in Germany

Key Point :

• BadBox malware embeds malicious code into the firmware of low-cost Android devices, allowing remote control and exploitation.
• The BSI has employed sinkholing to redirect infected device traffic to safe servers, mitigating further damage.
• Devices like digital photo frames and streaming boxes are particularly vulnerable, with many sold preloaded with Triada malware.
• Outdated firmware poses significant risks, and consumers are urged to disconnect affected devices from the internet.
• Research indicates that a large percentage of devices acquired from online retailers were infected, highlighting the widespread nature of the issue.

Germany’s cybersecurity agency reported on Thursday that at least 30,000 internet-connected devices sold across the country were infected with pre-installed malware known as BadBox.

In a statement, the Federal Office for Information Security (BSI) announced that it had blocked communication between the infected devices and the criminals’ control servers, preventing further damage. However, devices with outdated software remain at risk.

The hacker group behind BadBox primarily targets Android devices — such as smartphones, tablets, and connected TV streaming boxes — embedding malicious code into their firmware. According to previous reports, the operators of BadBox typically target low-cost devices, which are sold through online retailers or resale sites. 

These devices come preloaded with Triada, a type of malware that creates a backdoor allowing attackers to remotely control the device, inject additional malware, and exploit the device for various illicit activities.

The BSI reported that the BadBox malware it found on infected devices, like digital photo frames and streaming devices, can secretly create email and messenger accounts. This enables the malware to spread fake news, carry out advertising fraud, and serve as a proxy, allowing criminals to exploit the devices’ internet connections for cyberattacks or illegal content distribution.

German cyber authorities said they employed a method known as sinkholing to redirect traffic from these devices to safe servers, cutting hackers’ access to them. The BSI stated that all German internet service providers with over 100,000 customers are now legally required to redirect BadBox traffic to its sinkhole.

The BSI did not disclose the companies that manufactured the affected devices but urged consumers who received warnings from the authorities to disconnect these devices from the internet or stop using them. 

“There is no immediate danger for these devices as long as the BSI maintains the sinkholing measure,” the agency stated.

“Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions, in particular, pose a huge risk,” BSI president Claudia Plattner said in a statement. “We all have a duty here: manufacturers and retailers have a responsibility to ensure that such devices do not come onto the market.”

Last October, researchers at the cyber firm Human Security discovered that over 70,000 Android smartphones, CTV boxes and tablet devices from at least one Chinese manufacturer were shipped pre-installed with Triada malware, which is linked to BadBox’s operators.

Human Security called BadBox “an incredibly sophisticated operation,” noting that it is nearly impossible for users to tell if their devices are compromised. Of the devices researchers acquired from online retailers, 80% were infected with BadBox, “which demonstrates how widely they were circulating on the market.”

The company said the hackers behind BadBox likely operate out of China and have access to hardware supply chains.

Learn more.