A Canadian security specialist discovered malware installed in the firmware of an Android TV box. A practice hitherto unknown and which could well affect other models. Distrust prevails!
Android TV boxes that plug into the TV to enjoy streaming platforms and many other services are very practical and very popular. In large online stores like Amazon or AliExpress, there are hundreds of models available at prices ranging from a few tens of euros to more than two hundred euros for the most efficient. All are made in China and most entry-level devices are produced under white label and then marketed under several different names and brands. Problem: few checks are carried out between leaving the factory and putting them on the shelves. This can sometimes hold a few surprises, as Daniel Milisic, a Canadian security consultant, has seen on Amazon. low price of less than fifty euros.
Android TV box infected: requests to malicious servers
When configuring the box running Android 10.0, Daniel Milisic winced at a strange behavior. Indeed, from the outset the box could accept Ethernet and WiFi connections via the Android Debug Bridge (ADB). A somewhat unusual configuration generally reserved for developers and allowing remote access to files on the device, launching commands and installing applications. The security specialist indicates that he initially bought this box to run Pi-Hole, an application for blocking advertising and unwanted content that also prohibits access to malicious sites. After installing this tool, he then noticed that the box was trying to connect to a multitude of IP addresses associated with active malware.
According to Daniel Milisic, the box is infected with a derivative version of CopyCat, a malware first detected in 2017 and which has already infected more than 14 million Android devices around the world. The specialist tells our American colleagues from the BleepingComputer site that he has found layers on top of layers of malware but that he has not been able to trace everything, an element that seems to be deeply rooted in the ROM, the firmware of the box. To prevent the box from communicating with malicious servers and repatriating malware, Daniel Milisic provides on GitHub a method for advanced users.
Android TV box: favor well-known brands
The misadventure of Daniel Milisic shines a spotlight on the dangers posed by the many Android TV boxes of unknown brands marketed at low prices on the shelves of major online stores. Their firmware can be modified at any time, both in the production chain and in the distribution circuit. Such an infected box, connected to the home network and the Internet, could discreetly siphon off a lot of personal data. If you wish to acquire a device of this type, it is therefore advisable, if possible, to opt for a model of a known brand which does not content itself with affixing its logo and carries out checks. It will probably cost you a little more upfront, but you can use it with peace of mind.