If you get your streaming fix from an Android TV box, your device could be laced with malware capable of conducting ad fraud, creating fake accounts, and selling access to home networks by quietly siphoning your data to servers in China.
According to a new report this week, cybersecurity firm Human Security has uncovered evidence of several models of Android TV boxes and at least one tablet infected right out of the box with dangerous firmware backdoors that are difficult to detect and even harder to remove. Human Security identified at least 74,000 Android mobile phones, tablets, and connected TV boxes showing signs of infection around the world. The researchers found signs that at least 200 different models of Android devices may be impacted, according to a report shared with Wired.
In total, the researchers identified eight devices known to have backdoors installed — seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W. All the devices boast a vast and diverse user base from homes and businesses to schools across the U.S.
“This is a truly distributed way of doing fraud," Human Security's CISO, Gavin Reid, said in an interview with Wired. He added that law enforcement agencies have already received all the details they gathered about the facilities where the devices may have been manufactured.
What's going on here
Here's how the scheme works. The devices are built in China, where, at some point in the commercial supply chain before they're delivered to resellers or stores, a malware-based firmware backdoor is installed. The backdoor is built on Triada malware, a "downloader" whose main purpose is to establish a backdoor through which other malicious programming can be downloaded and installed. Dubbed Badbox infections, these backdoors are linked to a global network of fraud and cybercrime.
“Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid told the outlet.
Hackers then use this access to compromised devices to execute multiple types of fraud, including advertising fraud, the creation of fake Gmail and WhatsApp accounts and remote code installation, Human Security's report explains. The group behind the scheme is selling access to residential networks commercially and claims to have access to millions of mobile IP addresses.
The cybersecurity firm reports the BadBox operators have taken down their command-and-control servers, ostensibly to adapt and circumvent the defensive measures amid increased scrutiny. Concerned consumers should avoid using the infected devices, as the malware resides in the firmware partition, which makes it incredibly difficult to remove unless you have some technical know-how.
“You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid told Wired. For anyone on the hunt for a new TV streaming box, he advised to choose familiar brands when purchasing new products and stick to devices from trusted manufacturers.
In a statement to Tom's Guide, a Google spokesperson provided further insight on the situation, saying:
“The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. ”
More from Tom's Guide
