German authorities disrupted a large-scale malware distribution ring known as BADBOX, continuing Germany’s string of successfully busting malware organizations and online hacking groups.

Law enforcement agencies cut off the group’s connection to its C2 servers in an act called “sinkholing.” This effectively destroyed the website. In the best-case scenario, this cripples the group beyond repair, in the worst-case scenario, its activities are still temporarily halted.

BADBOX mostly infected low-end devices and spread to more than 30,000 Android devices across Germany, making it a national cybersecurity risk.

The hackers didn’t access someone’s Android or get them through phishing scams. Instead, the organization attacked the pre-installed apps on people’s phones, infecting them during their creation. Out-of-date Android phones were hacked pre-distribution and carried the Triada malware before it got a chance to reach someones pockets.

Triada creates a backdoor into someone’s phone that BADBOX would use to exfiltrate people’s data and grant themselves administrative access to the phone.

However, authorities also learned that BADBOX was only a cog in a greater malware-distribution machine. BADBOX would install a backdoor and spy on customers, but it also powered the PEACHPIT botnet.

PEACHPIT is a botnet that displays fraudulent advertisements for spoofed Android and iOS apps. For example, it might display a fake version of YouTube and encourage users to click on the ad.

It monetized itself via programmatic advertisement wherein the hackers would earn money from fraudulent advertisers each time a user interacted with their ad.

Altogether, BADBOX would seek vulnerabilities in out-of-date Android devices, infecting them during the distribution stage. Afterward, hackers would later infect specific devices with PEACHPIT and display numerous false advertisements to them. Clicking on these ads would most likely give the user additional malware and generate profit for the hacking group at the same time.

Needless to say, the German authority’s victory over BADBOX is a great step towards improving Germany’s cybersecurity landscape.