Cheap Android TV boxes shipped with “unkillable” malware - here’s what you need to know

Don’t buy Android TV boxes from unknown brands, researchers are warning

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Just because you bought a brand new Android TV box, that doesn’t mean the device is clean frommalwareand safe to use. In fact, there are tens of thousands of Android-powered endpoints out there that are being shipped with backdoors.

This is according to a new report from cybersecurity expertsHuman Securitywhich claims that seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W, are all being shipped with Badbox, a downloader based on the Triada malware.

When the victim buys the device and turns it on, Badbox activates, reaches out to its command & control (C2) server, and then pulls whatever stage-two malware it is told to download.

Supply chain woes

The total number of victims is hard to determine, the researchers said, but they identified at least 74,000 Android mobile phones, tablets, and connected TV boxes that are infected.

How these devices ended up with malware is anyone’s guess, but the researchers speculate that wasn’t the manufacturer’s intent. Instead, it’s likely that somewhere in the development chain, a third party got compromised and its access to the devices in production abused to deliver the downloader.

“This is a truly distributed way of doing fraud," Human Security’s CISO, Gavin Reid, toldWired. The police have been briefed on the findings, he added.

There’s no word on the identity of the attackers, however Human Security said there are hackers out there offering advertising fraud, fake Gmail andWhatsAppaccounts, and remote code installation. These threat actors are also offering access to residential networks, for a price. They claim to have “millions of mobile IP addresses” to work with

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“You can think of these Badboxes as kind of like sleeper cells. They’re just sitting there waiting for instruction sets,” Reid told the publication.

This is not the first time researchers have sounded the alarm on these TV boxes, as cybersecurity researcher Daniel Milisic waswarning consumers about T95 and other models months ago.

Edit, October 11 - AGooglespokesperson reached out to TechRadar with the following statement: “The off-brand devices discovered to be BADBOX-infected were notPlay Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, ourAndroid TV websiteprovides the most up-to-date list of partners. You can also takethese stepsto check if your device is Play Protect certified. ”

The infected devices, the spokesperson further elaborated, areAndroid Open Source Project(AOSP) devices, which means that anyone can download and modify the code.Android TVis Google’soperating systemfor smart TVs and streaming devices. It is proprietary, which means that only Google and its licensed partners can modify the code.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand