BSI Disrupts “BadBox” Malware Pre-Loaded on 30,000 Devices

Germany's Federal Office for Information Security (BSI) has taken decisive action against a significant cyber threat posed by pre-installed BadBox malware found in internet-connected devices such as digital photo frames and media players. These devices, numbering up to 30,000 across Germany, were shipped with outdated Android firmware and infected with the “BadBox” malware family. BSI President Claudia Plattner emphasized the growing risks of outdated firmware in connected devices, calling for greater accountability from manufacturers and retailers. “Manufacturers and retailers are responsible for ensuring such devices don't reach the market, but consumers also have a role to play by prioritizing cybersecurity when making purchases,” Plattner said.

The BSI identified that these devices were infected with BadBox at the time of sale. The malware is capable of covertly performing several malicious actions, including:

• Creating fake accounts for email and messenger services to spread misinformation.
• Ad fraud, where it secretly visits websites in the background to generate revenue.
• Acting as residential proxies, enabling unknown third parties to exploit users' internet connections for illegal activities, including cyberattacks and distribution of unlawful content.
• Downloading additional malware, increasing the threat to users over time.

In response, the BSI implemented a “sinkholing” operation under Section 7c of the BSI Act (BSIG). This involves redirecting communication between infected devices and the malware's command-and-control servers to protect users and sever the criminals' access.

Consumer guidance

The devices infected with BadBox malware included digital photo frames and media players, but the BSI warns that other product categories—such as smartphones and tablets with outdated firmware—may also be affected. Due to the widespread nature of the issue and the devices' anonymity under various brand names, the BSI could not specify the exact products involved.

The BSI highlighted the critical risks associated with outdated firmware across IoT devices, which are increasingly exploited by cybercriminals. Reports from international sources further suggest a high number of unreported cases, prompting a nationwide alert.

The BSI has advised consumers to immediately disconnect potentially affected devices from the internet and stop using them. Internet service providers are tasked with notifying users whose devices have been identified as compromised, though not all affected users may receive such alerts.

To mitigate future risks, the BSI offers the following recommendations:

• Check if the product has official manufacturer support.
• Ensure the device runs a current version of its operating system.
• Research the manufacturer's reputation for security practices.
• Regularly update firmware and software where possible.
• Limit internet connectivity for devices that do not require it.
• Monitor network activity for unusual behavior.