German agency BSI sinkholed a botnet of 30,000 devices infected with BadBox

Pierluigi Paganini December 13, 2024

The German agency BSI has sinkholed a botnet composed of 30,000 devices shipped with BadBox malware pre-installed.

The Federal Office for Information Security (BSI) announced it had blocked communication between the 30,000 devices infected with the BadBox malware and the C2. The devices were all located in Germany, they were all using outdated Android versions.

“The Federal Office for Information Security (BSI) has now blocked communication between the malware and the computer in up to 30,000 such devices in Germany. BadBoxand the perpetrators. What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware ” reads the announcement published by BSI.

Technically authorities sinkholed the botnet, an operation that involves redirecting the traffic from infected devices, which would normally communicate with the attacker’s C2 server, to a controlled server or “sinkhole” managed by security researchers or law enforcement. Sinkholing isolates the malware and prevents it from executing commands or stealing data.

The BadBox malware, pre-installed on devices, creates email and messaging accounts for spreading disinformation. The bot conducts ad fraud by accessing websites in the background and operates as a residential proxy, sharing the user’s internet connection for criminal activities, which can link the user’s IP address illegal activities. BadBox can also download additional payloads, amplifying the risks for the users.

The BSI instructed all internet providers in the country with more than 100,000 subscribers to help it to carry out sinkholing operations.

“Consumers whose devices can be identified as infected are usually informed by their telecommunications providers about the suspicion of a malware infection in their network based on their IP address.” continues the announcement. “The exact content of this information can vary depending on the provider . Since in this specific case, the products are often identical but sold under different names and descriptions, the BSI cannot name any products.

In October 2023, cybersecurity researchers at Human Security discovered a global network of consumer products, dubbed BADBOX, with firmware backdoors installed and sold through a compromised hardware supply chain.

The experts reported that at least 74,000 Android-based mobile phones, tablets, and Connected TV boxes worldwide were shipped with the backdoored firmware.

Products containing the malicious backdoor have been found on public school networks throughout the United States.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(Security Affairs – hacking, BadBox)

BADBOX botnet BSI Cybercrime Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security News

Pierluigi Paganini July 25, 2025

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

Pierluigi Paganini July 25, 2025