Two popular Android TV box products have been found to be sold online preloaded with malware, according to cybersecurity researchers. The malware generates revenue for attackers by clicking on ads in the background without the owners’ knowledge or consent. The findings were made by cybersecurity researcher Daniel Milisic, who purchased an AllWinner T95, a popular set-top box with a four-out-of-five-star rating and countless reviews, from Amazon. The TV box comes with multiple streaming services, can be customised and is generally considered good value for its relatively low price of around $40 without shipping. However, soon after receiving the item, Milisic discovered that the tool was communicating with a C2 server and awaiting certain instructions. A deeper investigation showed the device connecting to a wider botnet comprising countless devices all over the world. The instructions were to download stage-two malware which performs ad-click fraud.
After publishing his findings on GitHub, other researchers chimed in with support, including EFF security researcher Bill Budington, who not only confirmed Milisic’s findings but also said there were other devices doing the same thing. The infected devices include AllWinner T95Max, RockChip X12 Plus and RockChip X88 Pro 10. Milisic reached out to the internet company that hosted the C2 servers and asked for them to be turned off, and the company complied quickly. However, he says that nothing is stopping the threat actors from erecting a C2 server elsewhere and just continuing their operation.
Speaking to TechCrunch, Budington said: “It’s an impressive and unsettling operation. It’s difficult to quantify the scale of this network. What we do know is that everywhere we look there are different variants of Android trojan malware downloading next-stage malware from the same set of IPs, ones that have been involved in supply-chain attacks in the past.” The worst thing is that the average user doesn’t really know how to install or remove such software from TV boxes, the researchers claim. For them, the best course of action would be to replace the devices with something more trustworthy. For the researchers, they believe they should hold resellers to a higher standard and scrutinise hardware more. “They’re not allowed to sell children’s toys made out of spinning razor blades, why is it OK to let small, unknown vendors sell computers acting maliciously without owners’ knowledge and permission?,” he concluded.