Popular Android TV boxes sold on Amazon are riddled with malware

“/>

Image credits: Techcrunch

AllWinner and RockChip may not be household names, but the two China-based companies power many of the popular Android TV devices sold on Amazon.

Android TV receivers are usually cheap and highly customizable, packing several streaming services into one device, rather than buying separate devices. Their Amazon listings feature four out of five star ratings and have collectively garnered thousands of commendable reviews.

But security researchers say the models are sold pre-loaded with malware capable of launching coordinated cyberattacks.

Last year, Daniel Milisic bought an AllWinner T95 set-top box and discovered that the chip’s firmware was infected with malware. Milisic found that the Android set-top box was communicating with command and control servers and waiting for instructions on what to do next. His ongoing investigation, which he posted on GitHub, found that his T95 model was out of the box connected to a larger botnet of thousands of malware-infected Android TV boxes in homes and offices around the world.

Milicic said the malware’s default payload is a clickbot, which is essentially code that generates advertising money by surreptitiously clicking on ads in the background. After the affected Android TV boxes are powered on, the pre-loaded malware immediately contacts a command and control server, gets its instructions on where to find the malware it needs, and pulls additional payloads to the device executing the ad-clicking scam.

“But because of the way the malware is designed, the authors can push any payload they want,” Milicic told TechCrunch.

Bill Boddington, an independent EFF security researcher, confirmed Milisic’s findings after purchasing an affected device from Amazon. Several AllWinner and RockChip Android TV models are preloaded with malware, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.

Botnets typically consist of hundreds, if not thousands or millions, of compromised devices around the world. The operators behind the botnet can use this vast malicious network to mine cryptocurrency on an affected device, steal data (if any) from the device or its connected network or harness the collective internet bandwidth of these devices to hit other websites and internet servers with unauthorized traffic. unwanted, known as a distributed denial-of-service attack, causing them to go offline.

Milisic asked the internet company hosting the command-and-control servers that instructed the wider botnet to take those servers offline, and the servers hosting the ad-click malware disappeared shortly thereafter. However, he warned that the botnet could return at any time with new infrastructure.

It is not clear how big the bots are. “It’s hard to quantify the size of this network,” Boddington told TechCrunch. “What we do know is that everywhere we look, there are different types of Android Trojan malware to download next-phase malware from the same pool of IP addresses, the ones that have been involved in supply chain attacks in the past. It’s an impressive and troubling process.” .

Milisic and Budington note that there is no easy way to remove malware for the average user. Getting rid of the box entirely may be the best option for affected users.

“I think the only way to mitigate this problem is to hold retailers to higher standards,” Milicic told TechCrunch. Referring to online sellers such as Amazon, “They are not allowed to sell children’s toys made of spinning razor blades, so why is it okay to allow small, unknown sellers to sell maliciously behaving computers without the owners’ knowledge and permission?”

When reached by TechCrunch, Amazon spokesperson Adam Montgomery declined to say whether Amazon reviews the security of the devices it sells or if it plans to remove devices that contain malware from sale.

AllWinner and RockChip did not respond to requests for comment.

There has been a push in recent years to improve hardware security standards. The Biden administration has said it plans to roll out a rating system for internet-connected devices this year as part of efforts to encourage device makers to improve the security of their devices, such as adding update mechanisms to patch security flaws. In 2018, the state of California passed a law banning internet-connected devices from using default, easy-to-guess passwords, which bad actors often use to hack into devices and catch them in a botnet.

At the time of writing, the affected AllWinner and RockChip models are still available for sale on Amazon.