Two cybersecurity researchers have revealed that two brands of popular Android TV boxes marketed by Amazon came preloaded with malware. Daniel Milisic and Bill Budington bought AllWinner and RockChip setup boxes respectively from Amazon only to find that the hardware had malware that could launch cyberattacks across wide networks around the globe.
Milisic bought the AllWinner T95 setup box in 2022 but found that the machine – instead of streaming many TV services as expected – also communicated with control servers by connecting with thousands of botnets within the TV setup boxes of other users across the world. These are Android TV setup boxes that have been infected or come preloaded with malware.
According to Milisic, the malware works as a click bot that taps on TV ads in the background to generate thousands of dollars in ad revenue for the malware operators. On switching on the setup box, the machine communicates with a command and control server for assistance in harnessing malware that pulls more payloads to the box to be able to engage in surreptitious ad clicks.
Milisic said the authors can push out any payload they like because of the way the malware is designed. He stated that some of the AllWinner and RockChip Android TV models also preloaded with the malware including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.
According to him, botnets could comprise millions of compromised devices around the world and their operators can use them to mine cryptocurrencies, steal owners’ data, harness internet bandwidth used by the TV boxes, and assail websites and internet servers with junk traffic. He said the major way to arrest the botnets and crash their operations is to ask the internet company hosting the command and control servers to crash the servers.
“It’s difficult to quantify the scale of this network,” Budington revealed. “What we do know is that everywhere we look there are different variants of Android trojan malware downloading next-stage malware from the same set of IPs, ones that have been involved in supply-chain attacks in the past. It’s an impressive and unsettling operation.”
Milisic said the concrete way to deal with the problem is for users to discard the TV setup boxes and for Amazon and other retailers to hold product manufacturers to higher standards. He said they should not be allowed to sell hardware that acts “maliciously without owners’ knowledge and permission.”
Amazon spokesperson Adam Montgomery as well as representatives for AllWinner and RockChip did not respond to queries about the malware problem.