- BADBOX most likely originates from China
- The malware can run ad fraud, residential proxies, and more malicious activity
- The network was recently disrupted by German authorities
German authorities have managed to disrupt a major malware operation that affected thousands of Android devices across the country.
The Federal Office of Information Security (BSI) said BADBOX came preloaded on Android devices with older firmware, which were essentially sold as infected.
Some 30,000 devices across the country were compromised, the agency added, with digital picture frames, media players, and streaming devices being the most common endpoints – however, some smartphones and tablet devices were possibly infected as well.
Outdated Android devices
“What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware,” the BSI said in a press release.
The agency outlined how BADBOX was capable of carrying out a number of malicious activities.
Mostly, it was built to silently create new accounts for email and message services, which were later used to spread fake news, misinformation, and propaganda, but BADBOX was also designed to open websites in the background, which would count as ad views – a practice generally perceived as ad fraud.
Furthemore, the malware was able to act as a residential proxy service, lending the traffic to malicious third parties for different illegal activities. Finally, BADBOX can be used as a loader, as well, dropping additional malware on the devices.
The operation was reportedly first documented by HUMAN’s Satori Threat Intelligence more than a year ago, and that it most likely originates from China. The same threat actors allegedly operate an ad fraud botnet called PEACHPIT, as well, designed to spoof popular Android and iOS apps, and its own traffic from the BADBOX network.
“This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps,” HUMAN said at the time. “Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware.”
Via The Hacker News
