German authorities have blocked 30,000 digital picture frames, media players, and other Android devices from communicating with BadBox botnet control servers. The malware on these devices came pre-installed.
The German Federal Office for Information Security (BSI) warns users that Internet of Things (IoT) devices can be infected with malware and is a lucrative target for hackers.
The BSI found BadBox malware preinstalled on thousands of devices at purchase. BadBox is an Android malware lurking within the device’s firmware. Infected devices immediately connect to the command-and-control (C2) server and allow attackers to intercept secret credentials, install additional payloads, gain access to the victim’s networks, launch DDoS (distributed denial of service) attacks, and others.
BadBox on the 30,000 infected devices created accounts for email and messenger services, which were used to spread fake news. BadBox is also used to carry out advertising fraud by accessing websites in the background. Third parties use users’ internet connections to secretly launch cyberattacks, spread illegal content, and engage in other criminal activities.
The BSI said it is currently redirecting communication between affected devices and the perpetrators' control servers through a sinkholing measure. This means that devices do not obtain the IP addresses of malicious servers. However, the risks remain.
“These devices face no acute danger as long as BSI maintains the sinkholing measure. However, all IT products with outdated firmware versions are generally at risk of being vulnerable to malware,” the BSI said.
All of the devices that came with pre-installed malware are also running outdated Android versions
“Malware on internet-capable products is unfortunately not a rare phenomenon. Outdated firmware versions, in particular, pose an enormous risk,” said Claudia Plattner, BSI’s President.
“We all have a duty here: manufacturers and retailers are responsible for ensuring such devices don't come to the market. But consumers can also take action: cybersecurity should be an important criterion when making purchases!”
The problem affects numerous product categories, smartphones and tablets can also be infected. BSI didn’t name specific products or brands, as identical products are often sold under different names and descriptions.
Internet service providers in Germany typically inform customers about suspected malware infection in their network based on users' IP addresses.
BSI assumes that many cases might go unreported and calls on people to disconnect vulnerable devices from the internet or to stop using them altogether.
“BSI urges taking these notifications seriously and checking all internet-capable products in the respective network. An affected device should be immediately disconnected from the internet. Even consumers who are not directly notified should check their devices.”
There are usually no other mitigations for BadBox-affected devices. The malware is located on a non-writable partition of the firmware, which is not accessible to users.
“These off-brand devices discovered to be infected were not Play Protect-certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect-certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified,” a Google spokesperson told Cybernews.
Updated on December 16th [07:30 a.m. GMT] with a statement from Google.
Your email address will not be published. Required fields are markedmarked