Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Germany Sinkholes Botnet of 30,000 BadBox-Infected Devices

Germany’s cybersecurity agency BSI has sinkholed a botnet of 30,000 devices shipped with BadBox malware pre-installed.

At least 30,000 media devices were sold in Germany with pre-installed malware that ensnared them into a botnet, Germany’s Federal Office for Information Security (BSI) said on Thursday.

The infected photo frames and streaming devices were running older Android versions and were infected with the BadBox malware prior to arriving on shelves, the German cybersecurity agency says.

BSI says it has sinkholed the communication between the BadBox bots and their command-and-control (C&C) servers, instructing all internet providers in the country with more than 100,000 subscribers to help redirect traffic to the sinkhole.

The cybersecurity agency says it will work together with the internet providers to identify BadBox bots and alert consumers, and recommends that all infected devices be disconnected from the internet.

It also recommends that all users scan their devices for potential signs of infection and that they check the reliability of manufacturers and the security settings of devices before making purchases.

BadBox was initially detailed in October last year, after cybersecurity vendor Human Security discovered that over 70,000 Android smartphones, CTV boxes, and tablet devices from at least one Chinese manufacturer were shipped pre-installed with the Triada malware.

Advertisement. Scroll to continue reading.

As part of the BadBox campaign uncovered by Human Security, roughly 280,000 Android and iOS devices were being abused to conduct various ad-fraud schemes through tens of applications designed to connect to a fake supply-side platform (SSP).

Human Security also discovered that BadBox would allow threat actors to create WhatsApp messaging accounts and Gmail accounts, to turn devices into residential proxies, and to remotely install new applications and code.

Installed on low-cost devices via a supply chain compromise, BadBox resides on the firmware partition and cannot be removed by the end-user.

Related: Android Devices With Backdoored Firmware Found in US Schools

Related: ‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency Applications

Related: Google Open Sources Security Patch Validation Tool for Android

Related: DrainerBot SKD Sucks Data and Battery From Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.