Researchers find many Android TV boxes infested with malware


With streaming becoming the de facto medium for modern television entertainment, Android TV boxes have proven to be an effective way of enhancing older TV sets with internet-driven smarts.

There are many kinds of smart TV boxes available internationally and in Africa, but some of the most trusted brands – such as the Apple TV set-top box – are too expensive for many consumers.

This price sensitivity tempts customers into purchasing cheaper, lesser-known brands, especially because some of these boast the ability to stream pirated content as well.

But researchers have found that the prevalence of malicious software, or malware, built into many of these devices is shockingly high.

‘Your device is infected with malware, constantly trying to find a C2 server to upload ‘telemetry’ and await commands without your knowledge or permission.’ It’s included with the device, straight from the merchant you ordered it from,” said Daniel Milisic, a computer security researcher, on a GitHub repository focused on investigating the operating systems of the AllWinner H616/H618 and RockChip 3328 set-top boxes.

Milisic is a contributor to numerous GitHub repositories where researchers and tinkerers from around the world share their findings about the security vulnerabilities of the various devices they test for malware.

Sophisticated botnet

Another TV box, called the T95, had malware that hijacked a user’s computing resources and internet connection, acting as a node in a sophisticated botnet that committed advertising fraud. Once connected, the device would quietly run background software that clicked on advertisements on various websites, fraudulently giving paying advertisers the false impression that their content was garnering more views than it actually was.

Human Security, company specialising in the identification and takedown of international fraud syndicates, reported in October 2023 that its Satori team had disrupted the operations of the Badbox botnet operation, an advertising fraud syndicate operating out of China. The security research firm says that at its peak, Badbox was responsible for four billion fraudulent ad requests a day.

“The Badbox operation, based out of China, sold off-brand mobile and connected TV devices on popular online retailers and resale sites,” Human Security said in a statement. “These Android devices came preloaded with a known malware called Triada. Once the device was turned on or plugged in, those devices called home and got several “modules” of fraud installed on them remotely. One of which was an ad fraud module we dubbed Peachpit. This cybercriminal enterprise didn’t discriminate – they went after consumers around the world both in the private and public sectors.”

According to a report by Wired, the Triada malware used by Badbox was first identified by Kapersky in 2016 – and advertising fraud is not the only type of crime that has been linked to the software. Other methods used by cybercriminals include residential proxy services – where the syndicates sell access to user home networks – the creation of fake e-mail and social media accounts as well as remote code installations.

Misilic and others have identified certain files, including a now infamous “core java” folder on these Android TV boxes, that contain malware. Attempts to remove malicious software from devices like the T95 have mostly proven to be unsuccessful as clean versions of the custom Android OS version they use are nearly impossible to find. Many of the “successful” reboots prove to be defective after some time and experts are blaming the likelihood that the operating system files that have been identified as malware are not the only ones present in the system, with others that are more deeply hidden.

“After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using ‘tcpflow’ and ‘nethogs’ to monitor traffic, and traced it back to the offending process/APK (Android Package File), which I then removed from the ROM. The final bit of malware I could not track down injects the system server process and looks to be deeply baked into the ROM. It’s pretty sophisticated malware,” said Misilic.


Please enter your comment!
Please enter your name here