Once again, malware has been discovered in cheap Android TV boxes – most of which come from China. Users have to fear for their personal data.
As early as May 2023, there were increasing reports of malware on Android TV boxes. Specifically, it worked in the reports about devices with chips from the manufacturers AllWinner and RockChip. The companies’ TV boxes are quite popular on Amazon because they are cheap and very flexible to adapt. However, experts discovered that the devices were shipped with malware pre-installed. Now other models are affected. TECHBOOK explains how the software works and how you can protect yourself.
Security expert discovers malware on his own Android TV box
In fact, the problem has been known for even longer. Earlier this year, after purchasing an Android TV box on Amazon, security researcher Daniel Milisic discovered pre-installed malware on it. Specifically, in his case it was about the T95 model, which contains the AllWinner H616 chip – and it was exactly this that was infected. This would, among other things, make coordinated cyber attacks possible.
Milsic wanted to install the Pi-Hole software on the box and discovered how much malware was pre-installed on it. At this point in time, however, it was still unclear whether this might be an isolated case. In May, however, similar reports about other Android TV boxes increased. All affected devices came from Chinese manufacturers. The malware is preinstalled at the factory.
And to avoid confusion: The devices are sold as “Android TV” boxes, but the software is not signed by Google. However, the infected boxes use the open source version of Android instead. This in turn allows manufacturers to modify the box individually. Even installing apps from the Play Store is possible and Chromecast is supported. The installed interface looks like Android TV – but it’s not.
What does the malware do?
As Milsic discovered in January, the infected chips communicate in the background with so-called command and control servers, which hackers can use to send further commands to the devices. The malware-infected Android TV boxes form a wide-ranging botnet through which the attackers can carry out large-scale attacks.
A main goal of the malware so far appears to be to generate advertising revenue by opening masses of advertisements in the background. However, Milsic told tech magazine TechCrunch: “Because of the way the malware is designed, the authors can spread any payload they want.” And that’s exactly what makes it so dangerous.
The larger the botnet, the more dangerous the attacks. Hackers can not only paralyze entire websites with denial-of-service attacks (DoS), but can also spread other malware that accesses personal data.
Independently, other experts confirmed Milsic’s observations. Security researcher Bill Budington also discovered that his Android TV box had been delivered with malware. The device came from Amazon, but you can also buy the same model from other online retailers such as AliExpress.
New warnings about malware on Android TV
The current warnings report different malware – but they target the same devices. The new malware botnet is called Mirai and was created by Dr. Web discovered, among other things 4K movies reported. According to the report, the Android TV boxes Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3 are among those affected.
The antivirus team from Dr. Web states that in the new cases the malware either got onto the Android TV boxes via malicious apps – or could have been pre-installed at the factory.
This is how you can protect yourself
Security expert Milsic found with his own box that the average user couldn’t do much against the malware. It is best for those affected to simply dispose of the box. The problem is that many people probably don’t even know that they are affected.
Experts are therefore already warning against buying such cheap TV boxes. So when purchasing, make sure that you are buying a certified device – in this case from Google. Milsic also demands higher safety standards from manufacturers and sellers. About online retailers like Amazon, the expert told TechCrunch: “They are not allowed to sell children’s toys that consist of spinning razor blades. “So why is it okay for small, unknown sellers to be allowed to sell computers that act maliciously without the owners’ knowledge and permission?”
Sources
- TechCrunch (“Popular Android TV boxes sold on Amazon are laced with malware”, accessed September 13, 2023)
- 4KMovies (“Malware discovered again in cheap Android TV boxes from China”, accessed on September 13, 2023)
- Golem (“Android TV box purchased with pre-installed malware”, accessed on September 13, 2023)
- Reddit (accessed on September 13, 2023)