5,000 Icelandic smart devices infected with BADBOX malware, many pre-compromised at factory

• Budget Android TV boxes, tablets, and streaming sticks bought from foreign online marketplaces are the primary carriers
• Some devices arrive pre-infected from the supply chain; others are compromised the moment users sideload apps from unofficial stores
• Infected devices can be weaponised for DDoS attacks, ad fraud, residential proxy services, and spam — without the owner noticing
• CERT-IS shares data with Icelandic telecoms but says the flow of compromised devices into the country is constant and difficult to stop

Iceland's national cybersecurity unit CERT-IS has detected BADBOX malware on roughly 5,000 smart devices across the country, RÚV reports. The infected hardware — cheap Android TV boxes, tablets, streaming sticks, and even aftermarket car entertainment systems — has been quietly enrolled in criminal botnets capable of launching attacks on targets worldwide. In a country of 380,000 people, 5,000 compromised devices means roughly one in every 75 residents is unwittingly hosting criminal infrastructure in their living room.

CERT-IS director Magni R. Sigurðsson told RÚV that many of the devices arrive pre-infected from the supply chain. The malware is baked into the firmware before the product ever ships, meaning the buyer has zero opportunity to prevent compromise. In other cases, infection occurs the moment a user sets up the device and downloads apps from unofficial stores — a common step for owners of budget Android TV boxes marketed as "unlocked" gateways to free streaming content. "This is a network of devices controlled by some attacker who can use them for further attacks," Sigurðsson said.

Once enrolled in the botnet, a device connects to command-and-control servers and waits for instructions. It can be directed to participate in distributed denial-of-service (DDoS) attacks, generate fraudulent ad clicks, serve as a residential proxy that masks criminal traffic behind an ordinary household IP address, or pump out spam and phishing emails. The device continues to function normally throughout. The owner streams a film; the botnet operator launches an attack. Both happen simultaneously on the same hardware.

The consequences for individual households go beyond abstract complicity. A home IP address used in criminal operations can end up on international blacklists, disrupting legitimate internet use. Other devices on the same Wi-Fi network become exposed to lateral infection. Personal data stored on the compromised device — including payment information — is accessible to whoever controls the backdoor. Asked whether CERT-IS can determine if specific Icelandic devices have been used in particular crimes or attacks, Sigurðsson was blunt: "No, we don't actually see that. We basically just see that these devices are infected."

CERT-IS shares its findings with Icelandic internet service providers and telecoms, but Sigurðsson acknowledged the problem is structural. New infected devices arrive in Iceland daily, ordered from the same unregulated foreign marketplaces that supplied the previous batch. The devices share a common profile: rock-bottom prices, outdated Android versions that receive no security patches, and hardware from manufacturers with no accountability to European consumers. The pattern is not unique to Iceland — Germany's Federal Office for Information Security (BSI) disrupted a BADBOX botnet of 30,000 devices in late 2023, and researchers have since found the malware's reach extends into the hundreds of thousands globally.

For a small island nation that prides itself on near-universal internet connectivity, the arithmetic is uncomfortable. The same open, high-bandwidth infrastructure that makes Iceland attractive for data centres also makes 5,000 compromised devices a potent resource for attackers. "It is difficult to fight this, as these devices are bought daily and keep coming into the country, infected," Sigurðsson said. The devices cost consumers twenty or thirty euros. Cleaning up after them costs considerably more.

Sources: RÚV