After it was was discovered earlier this year that several popular Android TV boxes came pre-installed with malware, new reports have arisen of a new malware botnet targeting other TV boxes.
According to BleepingComputer, a new variant of the Mirai malware botnet is targeting set-top Android TV boxes that are sold by major and minor retailers. Discovered by Dr. Web’s antivirus team, the botnet is primarily targeting low-cost boxes, namely the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.
Dr. Web reports that affected devices are infected “either via a malicious firmware update signed with publicly available test keys or distributed via malicious apps on domains targeting users interested in pirated content.”
Dr. Web goes on to state that the malware used to infect these devices are capable of a range of nefarious activities, including the ability to “perform DDoS attacks over the TCP and UDP protocols, like generating SYN, ICMP, and DNS flood requests, as well as opening a reverse shell, mounting system partitions for modification, and more.”
The following was originally published June 2, 2023:
Google has officially responded to reports of malware coming pre-installed in some popular Android TV boxes. We previously reported that security researchers confirmed boxes sold by AllWinner and RockChip came with malware that functioned as clickbots, but could be made to push any payload the authors desired. In Google’s response, they note that the Android TV boxes in question aren’t actually running the Android TV OS, but the mobile Android OS with a modified interface.
“We have recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices,” Google’s statement reads. “Some of them may also come with Google apps and the Play Store that are not licensed by Google, which means that these devices are not Play Protect certified. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”
The following was originally published May 23, 2023:
Security researchers have confirmed that popular Android TV boxes sold by Chinese brands AllWinner and RockChip come shipped with malware. The boxes in question have sold in huge quantities on Amazon and other popular retailers, and experts are now advising consumers to throw them away.
The default mode for the malware the boxes come shipped with are clickbots that continually click on ads in the background, unbeknownst to the user, to generate money.
“But because of the way the malware is designed, the authors can push out any payload they like,” security researcher and discoverer of the malware in question, Daniel Milisic, told TechCrunch. This means the malware could be used for any number of malicious purposes, including cyberattacks, stealing information, and DDoS attacks.
See also: Matrox Video and Ernitec introduce integrated line of video wall servers
Milisic’s discovery was independently verified and confirmed by EFF security researcher Bill Budington. The two concluded that since there is no easy way for the user to remove the problematic software, the best course of action would be to dispose of the infected unit.
TechCrunch reports that several models from the two companies come preloaded with malware, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.
