AllWinner and RockChip, two Chinese companies, power several Amazon-sold Android TV boxes.
Android-powered TV set-top boxes are cheap and customizable, combining multiple streaming services into one device. They have thousands of five-star reviews on Amazon.
Security researchers say the models are preloaded with malware that can launch coordinated cyberattacks.
Daniel Milisic bought an AllWinner T95 set-top box last year and found malware in its firmware. Milisic discovered that the Android-powered set-top box was communicating with command and control servers for instructions. His GitHub investigation found that his T95 model was automatically connecting to a botnet of thousands of malware-infected Android TV boxes in homes and offices worldwide.
Milisic said the malware’s default payload is a clickbot, which stealthily taps ads to make money. After the affected Android TV boxes are powered on, the preloaded malware contacts a command and control server, receives its instructions, and pulls additional payloads from the device that perform ad-click fraud.
Milisic told that the malware authors can send any payload.
After buying an affected Amazon device, EFF security researcher Bill Budington verified Milisic’s findings. Other AllWinner and RockChip Android TV models, such as the T95Max, X12 Plus, and X88 Pro 10, are preloaded with the malware.
Botnets consist of hundreds to millions of compromised devices worldwide. The botnet operators can use this vast malicious network to mine cryptocurrency on affected devices, steal data from the device or the network it’s connected to, or launch a distributed denial-of-service attack on other websites and internet servers by flooding them with junk traffic.
Milisic asked the internet company hosting the command and control servers that gave instructions to the botnet to take them offline, and the ad-click malware servers disappeared shortly after. However, the botnet could return with new infrastructure.
The botnet size is unknown. “It’s difficult to quantify the scale of this network,” Budington told . What we do know is that everywhere we look, different variants of Android trojan malware are downloading next-stage malware from the same IPs, ones that have been involved in supply-chain attacks. An impressive and unsettling operation.”
Milisic and Budington say the average user cannot remove the malware. Affected users may benefit from discarding the box.
Milisic told that retailers should be held to a higher standard. “They’re not allowed to sell children’s toys made out of spinning razor blades; why is it OK to let small, unknown vendors sell computers acting maliciously without owners’ knowledge and permission?” he said of Amazon.
Amazon spokesperson Adam Montgomery declined to tell if Amazon reviews the security of its devices or if it will stop selling the malware-containing devices.
RockChip and AllWinner did not respond.
Hardware security standards have been raised recently. The Biden administration plans to introduce a labeling system for internet-connected devices this year to encourage device makers to add security updates. In 2018, California banned default and easy-to-guess passwords on internet-connected devices, which bad actors use to hack devices and ensnare them in botnets.
Amazon still sells the affected AllWinner and RockChip models.