The German authorities have managed to disrupt the activity of the cybercriminals behind the BadBox malware! This is malware that comes pre-installed on Android devices. Let’s take a look at this threat.
- The BadBox malware: what is it used for?
- BSI’s action in Germany
- Which devices are infected?
- How do I avoid buying an infected device?
The BadBox malware: what is it used for?
The BadBox malware is designed for Android. It is directly integrated into the firmware and it has been used to infect different devices such as digital photo frames, media players, and even some smartphones and tablets. It cannot be ruled out that it is also present on other types of devices (Smart TVs, Android boxes, surveillance cameras, etc.).
When a BadBox-infected device connects to the internet for the first time, the malware directly attempts to establish a connection with the attackers’ C2 (command and control) server. From there, hackers can interact with that device.
BadBox aims to steal data from the infected device, while also allowing attackers to deploy other malware or remotely access the network to which the device is connected. According to the German Federal Office for Information Security (BSI), this malware is capable of stealing MFA authentication codes and clicking on ads in the background to generate revenue.
In addition, BadBox would allow the infected device to be used as a proxy, allowing attackers to use the victim’s internet connection to perform illegal actions more discreetly.
BSI’s action in Germany
The German agency BSI managed to block communication between the devices infected by BadBox and the hackers’ C2 server infrastructure. To do this, they used the mechanism called “DNS sinkhole” in order to hijack DNS requests.
This way, infected devices communicate with police-controlled servers, rather than those controlled by attackers. As a result, attackers no longer receive the data stolen by the malware.
Which devices are infected?
The report published by the BSI mentions 30,000 devices infected by BadBox, in Germany alone. At the global level, this number must be much higher. In addition, in His report, the BSI says: “International reports suggest that smartphones and tablets can also be infected devices.”
What is certain is that the owners of devices affected by this DNS sinkholing operation will be notified by their Internet service provider based on their IP address. Then, it will remain to identify the problematic equipment at home. Once this is done, the recommendation of the German authorities is clear: “The BSI therefore considers the number of unreported cases to be very high and requests that the corresponding devices be disconnected from the internet or no longer be used.”
How do I avoid buying an infected device?
Devices offered by little-known brands or at a very attractive price are more likely to be infected by malware. There may not be the same controls, especially in terms of security.
Moreover, on this subject, Google has provided additional information to the BleepingComputer website: “These devices of another brand whose infection was discovered were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have the results of the security and compatibility tests.
Play Protect certified Android devices undergo extensive testing to ensure their quality and user safety. To help you check if a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also proceed as follows to check if your device is Play Protect certified.”
This isn’t the first time malware has been preloaded on Android devices. We remember in particular a case involving multiple Android TV boxes infected with malware.
