Germany's Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.
The types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and tablets.
BadBox is an Android malware that comes pre-installed in an internet-connected device's firmware that is used to steal data, install additional malware, or for the threat actors to remotely gain access to the network where the device is located.
When an infected device is first connected to the internet, the malware will attempt to contact a remote command and control server run by the threat actors. This remote server will tell the BadBox malware what malicious services should be run on the device and will also receive data stolen from the network.
BSI says the malware can steal two-factor authentication codes, install further malware, and create email and messaging platform accounts to spread fake news. It can also engage in ad fraud by loading and clicking on ads in the background, generating revenue for fraud rings.
Finally, BadBox can be set up to act as a proxy, allowing other people to use the device's internet bandwidth and hardware to route their own traffic. This tactic, known as residential proxying, often involves illegal operations that implicate the user's IP address.
Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers.
Sinkholing prevents the malware from sending stolen data to the attackers and receiving new commands to execute on the infected device, effectively preventing the malware from working.
"The BSI is currently redirecting the communication of affected devices to the perpetrators' control servers as part of a sinkholing measure pursuant to Section 7c of the BSI Act ( BSIG ),"
reads BSI's announcement.
"This affects providers who have over 100,000 customers (More about sinkholing). There is no acute danger for these devices as long as the BSI maintains the sinkholing measure."
.jpg)
