Cybersecurity researchers have discovered two popular Android TV box products are being sold online preloaded with malware.
The malware generates revenue for the attackers by clicking on ads in the background, without the owners’ knowledge or consent, according to findings from cybersecurity researcher Daniel Milisic.
Milisic went to Amazon to buy an AllWinner T95, a popular set-top box with a four-out-of-five-star rating, and countless reviews. The TV box comes with multiple streaming services, can be customized, and is generally considered good value for its relatively low price (around $40 without shipping).
Impressive and unsettling
However, soon after receiving the item, Milisic discovered the tool was communicating with a C2 server and awaiting certain instructions. A deeper investigation showed the device connecting to a wider botnet comprising countless devices all over the world. The instructions were to download stage-two malware which performs ad-click fraud.
After publishing his findings on GitHub, other researchers chimed in with support, including EFF security researcher Bill Budington, who not only confirmed MIlisic’s findings, but also said there were other devices doing the same thing. Here are some of the infected devices: AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.
Milisic reached out to the internet company that hosted the C2 servers and asked for them to be turned off, and the company complied quickly. However, he says that nothing is stopping the threat actors to erect a C2 server elsewhere and just continue their operation.
Speaking to TechCrunch, Budington didn’t hide his amazement: “It’s an impressive and unsettling operation,” he said.
“It’s difficult to quantify the scale of this network. What we do know is that everywhere we look there are different variants of Android trojan malware downloading next-stage malware from the same set of IPs, ones that have been involved in supply-chain attacks in the past.”
The worst thing is that the average user doesn’t really know how to install, or remove, such software from TV boxes, the researchers claim. For them, the best course of action would be to just replace the devices with something of more trustworthiness. For the researchers, he believes they should hold resellers to a higher standard and scrutinize hardware more.
“They’re not allowed to sell children’s toys made out of spinning razor blades, why is it OK to let small, unknown vendors sell computers acting maliciously without owners’ knowledge and permission?,” he concluded.