The scale of malware in Chinese Android TV boxes is worse than feared, with over 20 million devices believed to be infected and capable of accessing users' home networks.
The situation first came to the public's attention in in May 2023, when a warning was issued that popular Chinese Android TV boxes come preloaded with malware. In September, another malware botnet was discovered.
However, this is just the tip of the iceberg, according to a report from Wired this week.
To be clear: These boxes run AOSP (Android Open Source Project), not Google's certified 'Android TV' or 'Google TV' such as Chromecast and Nvidia Shield, and that's the problem – the open nature of AOSP. You can identify these boxes by their modified user interface, which differs from the one mandated by Google for all official 'Android TV' or 'Google TV' devices.
Can access your home network
Cybersecurity firm Human Security has unveiled new details about the extent of the malware botnet that fuels a network of fraudulent schemes. These TV devices, manufactured in China, come preloaded with the malware before they reach resellers.
- "They’re like a Swiss Army knife of doing bad things on the internet," Gavin Reid, CISO at Human Security, told Wired. "Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff."
They refer to the malware botnet as 'Badbox'.
Human Security states that among devices purchased in the US from online retailers, 80% were infected with Badbox. They identified seven Android TV boxes and one tablet (T95, T95Z, T95MAX, X88, Q9, X12PLUS, MXQ Pro 5G, and J5-W) with the backdoor installed, but have seen signs that over 200 different models may be infected. These devices are used in homes, businesses and schools, and are sold under different brands to obscure their true source.
Devices such as Tanix TX6 and H96 MAX X3 were previously found to be infected
The backdoor alters a component of the Android operating system, enabling it to execute code and gain access to apps installed on the device.
- "Human Security tracked multiple types of fraud linked to the compromised devices. This includes advertising fraud; residential proxy services, where the group behind the scheme sell access to your home network; the creation of fake Gmail and WhatsApp accounts using the connections; and remote code installation. Those behind the scheme were selling access to residential networks commercially, the company’s report says, claiming to have access to more than 10 million home IP addresses and 7 million mobile IP addresses," reported Wired.
Tens of millions of devices
Security firm Trend Micro has identified another group in China behind similar malware.
- "They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time," Fyodor Yarochkin, a senior threat researcher at Trend Micro, told Wired.
Trend Micro found one infected tablet in a museum and believes that Android systems in cars are infected too.
- "You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets," Gavin Reid said to Wired. "Friends don't let friends plug in weird IoT devices into their home networks."
Another malware, referred to as 'Peachpit' by security researchers, though seemingly less harmful, appears to be funding the operation by showing hidden ads within apps. Human Security has identified 39 Android, iOS, and TV box apps affected by Peachpit. The report indicates that Apple and Google are already addressing the issue.
Also read: Google responds to reports of malware in Android TV boxes
The reasons why Android TV became Google TV?
We cannot help but wonder whether Google has been aware of and combating this malware for years, and whether it played a role in the company's decision to rename Android TV to Google TV.
Bad actors can use the Android name to reference AOSP, but they cannot use 'Google', which is a trademark.
- Source: Wired, Human Security
