{
	"id": "3e6a7b02-069c-4aff-9f1f-1d6abd79ff90",
	"created_at": "2026-04-06T00:16:21.01725Z",
	"updated_at": "2026-04-10T03:21:26.275827Z",
	"deleted_at": null,
	"sha1_hash": "dbac9170cd62c805e42de282825dfd12df65dd99",
	"title": "Germany blocks BadBox malware loaded on 30,000 Android devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2350142,
	"plain_text": "Germany blocks BadBox malware loaded on 30,000 Android devices\r\nBy Bill Toulas\r\nPublished: 2024-12-13 · Archived: 2026-04-05 18:48:27 UTC\r\nGermany's Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over\r\n30,000 Android IoT devices sold in the country.\r\nThe types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and\r\ntablets.\r\nBadBox is an Android malware that comes pre-installed in an internet-connected device's firmware that is used to steal data,\r\ninstall additional malware, or for the threat actors to remotely gain access to the network where the device is located.\r\nhttps://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nWhen an infected device is first connected to the internet, the malware will attempt to contact a remote command and\r\ncontrol server run by the threat actors. This remote server will tell the BadBox malware what malicious services should be\r\nrun on the device and will also receive data stolen from the network.\r\nBSI says the malware can steal two-factor authentication codes, install further malware, and create email and messaging\r\nplatform accounts to spread fake news. It can also engage in ad fraud by loading and clicking on ads in the background,\r\ngenerating revenue for fraud rings.\r\nFinally, BadBox can be set up to act as a proxy, allowing other people to use the device's internet bandwidth and hardware to\r\nroute their own traffic. This tactic, known as residential proxying, often involves illegal operations that implicate the user's\r\nIP address.\r\nGermany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command\r\nand control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers\r\nrather than the attacker's command and control servers. \r\nSinkholing prevents the malware from sending stolen data to the attackers and receiving new commands to execute on the\r\ninfected device, effectively preventing the malware from working.\r\n\"The BSI is currently redirecting the communication of affected devices to the perpetrators' control servers as part of a\r\nsinkholing measure pursuant to Section 7c of the BSI Act ( BSIG ),\" reads BSI's announcement.\r\n\"This affects providers who have over 100,000 customers (More about sinkholing). There is no acute danger for these\r\ndevices as long as the BSI maintains the sinkholing measure.\"\r\nInfected device owners to be notified\r\nDevice owners who are impacted by this sinkholing operation will be notified by their internet service providers based on\r\ntheir IP address.\r\nThe agency says that anyone who receives a notification should immediately disconnect the device from their network or\r\nstop using it. Unfortunately, as the malware came pre-installed with firmware, other firmware from the device's\r\nmanufacturer should not be trusted and the device should be returned or discarded.\r\nBSI notes that all of the impacted devices were running outdated Android versions and old firmware, so even if they were\r\nsecured against BadBox, they remain vulnerable to other botnet malware for as long as they are exposed online.\r\n\"Malware on internet-enabled products is unfortunately not a rare phenomenon. Outdated firmware versions in particular\r\npose a huge risk,\" warned BSI President Claudia Plattner. \"We all have a duty here: manufacturers and retailers have a\r\nresponsibility to ensure that such devices do not come onto the market. But consumers can also do something: cyber security\r\nshould be an important criterion when purchasing!\"\r\nMoreover, the announcement mentions that, due to the vast variance in Android IoT manufacturers and device iterations, it's\r\nvery likely that many more devices infected by BadBox or similar malware exist in the country, which BSI could not\r\npinpoint this time.\r\nThis may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various\r\ninternet-connected appliances that follow an obscure route from manufacturing to resell networks.\r\nSigns that your device is infected by botnet malware include overheating when seemingly idle, random performance drops,\r\nunexpected settings changes, atypical activity, and connections to unknown external servers.\r\nTo mitigate the risk of outdated Android IoTs, install a firmware image from a trustworthy vendor, turn off unnecessary\r\nconnectivity features, and keep the device isolated from critical networks.\r\nGenerally, it is recommended that you buy smart devices only from reputable manufacturers and look for products offering\r\nlong-term security support.\r\nhttps://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/\r\nPage 3 of 4\n\nUpdate 12/14 - Google has sent BleepingComputer the below statement:\r\n\"These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device\r\nisn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.\r\nPlay Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you\r\nconfirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website\r\nprovides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect\r\ncertified.\" - A Google spokesperson\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/\r\nhttps://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/"
	],
	"report_names": [
		"germany-blocks-badbox-malware-loaded-on-30-000-android-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434581,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dbac9170cd62c805e42de282825dfd12df65dd99.pdf",
		"text": "https://archive.orkl.eu/dbac9170cd62c805e42de282825dfd12df65dd99.txt",
		"img": "https://archive.orkl.eu/dbac9170cd62c805e42de282825dfd12df65dd99.jpg"
	}
}