- BADBOX most likely comes from China
- The malware can perform ad fraud, residential proxies and more malicious activities
- The network was recently disrupted by German authorities
German authorities have managed to disrupt a major malware operation that has affected thousands of Android devices across the country.
The Federal Office of Information Security (BSI) said BADBOX was pre-installed on Android devices with older firmware, which were essentially sold as infected.
About 30,000 devices nationwide were compromised, the agency added, with digital photo frames, media players and streaming devices being the most common endpoints. However, some smartphones and tablets may have also been infected.
Outdated Android devices
“What all these devices have in common is that they run outdated Android versions and came with malware pre-installed,” the BSI said in a press release.
The agency outlined how BADBOX was able to carry out a number of malicious activities.
Mostly built to silently create new accounts for email and messaging services, which were later used to spread fake news, disinformation, and propaganda, BADBOX was also designed to open websites in the background, which would count as ad views – a practice commonly considered ad fraud.
Furthermore, the malware was able to act as a residential proxy service, lending traffic to malicious third parties for various illegal activities. Finally, BADBOX can also be used as a loader, placing additional malware on the devices.
The operation was reportedly first documented over a year ago by HUMAN’s Satori Threat Intelligence, and most likely originated in China. The same threat actors are also said to be operating an ad fraud botnet called PEACHPIT, designed to spoof popular Android and iOS apps and its own traffic from the BADBOX network.
“This complete ad fraud loop means they monetized the fake ad impressions on their own fraudulent, counterfeit apps,” HUMAN said at the time. “Anyone can accidentally buy a BADBOX device online without ever knowing it’s fake, plug it in and unknowingly open this backdoor malware.”
Via The hacker news