Safety Advisory: Malware Software Detected in High-demand Android TV Boxes on Amazon

The realm of Android TV boxes has been recently shaken by a disconcerting revelation. Two Chinese companies, AllWinner and RockChip, although not widely recognized, hold the responsibility for powering several highly sought-after Android TV boxes that are being sold on the popular online marketplace, Amazon. 

These Android-based TV set-top boxes have gained a reputation for their affordability and versatility, offering users the convenience of multiple streaming services in a single device, eliminating the need for separate hardware. 

Garnering positive attention, these products boast an average rating of four out of five stars on Amazon, along with accumulating thousands of favourable reviews from satisfied customers.

However, the dark side of these seemingly innocent TV boxes has been exposed by diligent security researchers. In a shocking turn of events, it has been discovered that these popular models come preloaded with insidious malware capable of executing coordinated cyberattacks. 

The reality of this situation came to light when Daniel Milisic, an unsuspecting buyer, purchased an AllWinner T95 set-top box last year. Shortly after setting up his device, he made a startling realization—the firmware of the box was infected with malware. Determined to unveil the extent of this threat, Milisic embarked on an investigation, documenting his findings on GitHub for the world to see.

Milisic’s investigation revealed a shocking revelation—the infected T95 model he had purchased was connected to a vast botnet comprising thousands of other malware-infected Android TV boxes scattered across the globe. 

These compromised devices served as pawns, dutifully communicating with command and control servers, eagerly awaiting instructions for their next actions. The magnitude of this discovery was not to be taken lightly.

The malware concealed within these Android TV boxes operates through a default payload known as a click-bot—a code designed to clandestinely generate revenue by perpetually clicking on ads in the background. 

As soon as the affected Android TV boxes are powered on, the preloaded malware establishes immediate contact with a command and control server, eagerly receiving instructions on how to obtain the required malware and additional payloads that facilitate ad-click fraud. 

The adaptability of the malware is a cause for concern, as Milisic astutely pointed out, “But because of the way the malware is designed, the authors can push out any payload they like.”

Intriguingly, Milisic’s findings were independently verified by Bill Budington, a respected security researcher at the EFF, who also purchased one of the affected devices from Amazon. Budington’s confirmation further cemented the seriousness of the situation. 

Furthermore, several other AllWinner and RockChip Android TV models, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10, were found to be preloaded with the same nefarious malware.

The implications of this discovery are far-reaching. Botnets, which typically consist of hundreds, if not thousands or even millions, of compromised devices spread across the globe, are often exploited by their operators for various malicious purposes. 

These purposes range from cryptocurrency mining to data theft, or even launching distributed denial-of-service (DDoS) attacks. These DDoS attacks overwhelm websites and internet servers with an onslaught of junk traffic, rendering them inaccessible to legitimate users.

In response to this alarming situation, Milisic took immediate action. He reached out to the internet company hosting the command and control servers responsible for distributing instructions to the broader botnet, urging them to take the servers offline. As a result of his efforts, the servers hosting the ad-click malware disappeared shortly after. 

However, Milisic warned that the botnet could resurface with new infrastructure at any given time, posing an ongoing threat. The true scale of this malicious botnet remains uncertain.