Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

BADBOX malware hits 30,000 Android devices - make sure you update now

Android phone malware.

  • BADBOX most likely originates from China
  • The malware can run ad fraud, residential proxies, and more malicious activity
  • The network was recently disrupted by German authorities

German authorities have managed to disrupt a major malware operation that affected thousands of Android devices across the country.

The Federal Office of Information Security (BSI) said BADBOX came preloaded on Android devices with older firmware, which were essentially sold as infected.

Some 30,000 devices across the country were compromised, the agency added, with digital picture frames, media players, and streaming devices being the most common endpoints - however, some smartphones and tablet devices were possibly infected as well.

Outdated Android devices

"What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware," the BSI said in a press release.

A Google spokesperson also added that the devices were not Play Protect certified Android devices, meaning they weren't under Google's watchful eye:

“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results," the spokesperson told TechRadar Pro in an emailed statement. "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”

The agency outlined how BADBOX was capable of carrying out a number of malicious activities.

Mostly, it was built to silently create new accounts for email and message services, which were later used to spread fake news, misinformation, and propaganda, but BADBOX was also designed to open websites in the background, which would count as ad views - a practice generally perceived as ad fraud.

Furthemore, the malware was able to act as a residential proxy service, lending the traffic to malicious third parties for different illegal activities. Finally, BADBOX can be used as a loader, as well, dropping additional malware on the devices.

The operation was reportedly first documented by HUMAN’s Satori Threat Intelligence more than a year ago, and that it most likely originates from China. The same threat actors allegedly operate an ad fraud botnet called PEACHPIT, as well, designed to spoof popular Android and iOS apps, and its own traffic from the BADBOX network.

"This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps," HUMAN said at the time. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware."

December 17 edit: Added a Google representative statement.

Via The Hacker News

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.