Digital picture frames or media players that are connected to the internet: Such devices can be infected with malware and are therefore increasingly being targeted by cyber criminals.
The German Federal Office for Information Security (BSI) has now blocked communication between the BadBox malware and the perpetrators on up to 30,000 such devices in Germany. What all these devices have in common is that they have outdated versions of Android and were delivered with pre-installed malware.
In all cases known to the BSI, the BadBox malware was already installed on the respective devices at the time of purchase. BadBox is able to create accounts for email and messenger services unnoticed, which can then be used to spread fake news. BadBox can also carry out advertising fraud (ad fraud) by accessing websites in the background. The malware can also act as a resident proxy service. It makes the user’s internet connection available to unknown third parties, who can then use it for criminal activities (cyber attacks, distribution of illegal content). As a result, the IP address of those affected can be linked to criminal acts. In addition, BadBox can download further malware.
The BSI is currently rerouting the communication of affected devices with the perpetrators’ control servers as part of a sinkholing measure in accordance with Section 7c of the BSI Act (BSIG). This affects providers with over 100,000 customers (more on sinkholing). There is no acute danger for these devices as long as the BSI maintains the sinkholing measure. In principle, however, all IT products with outdated firmware versions are at risk of being vulnerable to malware. This therefore affects numerous other product classes in addition to the photo frames and media players that came to light during the BSI measure. International reports suggest that smartphones and tablets may also be infected devices. The BSI therefore assumes that the number of unreported cases is very high and calls on people to disconnect such devices from the Internet or to stop using them.
Consumers whose devices can be identified as infected are usually informed by their telecommunications provider of the suspected malware infection in their network based on their IP address. The exact content of this information can vary depending on the provider. As the products in question are often identical in design but are marketed under different names and designations, the BSI is unable to name the product. However, the BSI asks that this information be taken seriously and that all internet-enabled products in the respective network be checked. An affected device should be disconnected from the Internet immediately. Consumers who are not immediately informed should also check their devices.
(ds/Federal Office for Information Security (BSI))