Cheap Android TV boxes shipped with "unkillable" malware - here's what you need to know

(Image credit: streaming)

Just because you bought a brand new Android TV box, that doesn’t mean the device is clean from malware and safe to use. In fact, there are tens of thousands of Android-powered endpoints out there that are being shipped with backdoors.

This is according to a new report from cybersecurity experts Human Security which claims that seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W, are all being shipped with Badbox, a downloader based on the Triada malware. 

When the victim buys the device and turns it on, Badbox activates, reaches out to its command & control (C2) server, and then pulls whatever stage-two malware it is told to download.

Supply chain woes

The total number of victims is hard to determine, the researchers said, but they identified at least 74,000 Android mobile phones, tablets, and connected TV boxes that are infected.

How these devices ended up with malware is anyone’s guess, but the researchers speculate that wasn’t the manufacturer’s intent. Instead, it’s likely that somewhere in the development chain, a third party got compromised and its access to the devices in production abused to deliver the downloader. 

“This is a truly distributed way of doing fraud," Human Security's CISO, Gavin Reid, told Wired. The police have been briefed on the findings, he added.

There’s no word on the identity of the attackers, however Human Security said there are hackers out there offering advertising fraud, fake Gmail and WhatsApp accounts, and remote code installation. These threat actors are also offering access to residential networks, for a price. They claim to have “millions of mobile IP addresses” to work with

“You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid told the publication.

This is not the first time researchers have sounded the alarm on these TV boxes, as cybersecurity researcher Daniel Milisic was warning consumers about T95 and other models months ago.  

Edit, October 11 - A Google spokesperson reached out to TechRadar with the following statement: “The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. ”

The infected devices, the spokesperson further elaborated, are Android Open Source Project (AOSP) devices, which means that anyone can download and modify the code. Android TV is Google's operating system for smart TVs and streaming devices. It is proprietary, which means that only Google and its licensed partners can modify the code.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.