Many Android TV boxes sold online carry malware. Google today gives the procedure to identify reliable models that use its Play Protect verification system.
Be careful if you plan to buy an Android TV box. Or if you already have one. These boxes that connect to the television and the home’s local network, via Ethernet or Wi-Fi, to take advantage of streaming platforms and many other connected services are very practical and very popular. In large online stores like Amazon or AliExpress, there are hundreds of models available at prices ranging from a few tens of euros to more than two hundred euros for the most efficient. All are made in China and most entry-level devices are produced under white label and then marketed under several different names. Problem: few checks are carried out between leaving the factory and putting them on the shelves. This can sometimes hold unpleasant surprises. Attached to the user’s Google account, such a box has a good deal of sensitive data at its disposal. However, not all brands are reliable, some presenting real danger.
This was observed by Daniel Milisic, with supporting evidence. At the beginning of the year, this Canadian security consultant had noticed a strange behavior of an Android TV box marketed on Amazon and also sold in France by the e-commerce giant. This model, Android TV T95 from the AllWinner brand – named after the main circuit that equips the device – sold for less than 50 euros – is available under various more or less fanciful brands, always with an AllWinner circuit. Since its first investigations, it has turned out that this box is not the only one to present an intriguing behavior, invisible to the eyes of ordinary users, but dangerous for the security of its data and for that of others.
Android TV box: models infected with factory malware
When configuring the box running Android 10.0, Daniel Milisic winced at a strange behavior. Indeed, from the outset the box could accept Ethernet and Wi-Fi connections via the Android Debug Bridge (ADB). A somewhat unusual configuration generally reserved for developers and allowing remote access to files on the device, launching commands and installing applications. The security specialist indicated that he had initially bought this box to run Pi-Hole, an application for blocking advertising and unwanted content that also prohibits access to malicious sites. After installing this tool, he then noticed that the box was trying to connect to a multitude of IP addresses associated with active malware.
Since his first findings, Daniel Milisic has continued his investigations. He was able to highlight that his box, infected with a version derived from CopyCat, a malware detected for the first time in 2017 and which has already infected more than 14 million Android devices around the world, was connecting to a botnet. This network, made up of hundreds or thousands of Android TV boxes, also compromised, allows hackers to control, in secret, the behavior of the boxes so that they click on advertisements in order to generate money. But they could do much worse, such as stealing data, mining cryptocurrency or launching DDoS attacks (denial of service attacks) allowing for example to bring down website servers or paralyze connected objects.
Daniel Milisic’s findings were confirmed by another researcher, Bill Budington of the Electronic Frontier Foundation (EFF), who was able to establish that several Android TV box models sold by American and Chinese retail giants adopt the same behavior. Four devices are thus incriminated – AllWinner T95, AllWinner T95Max, Rockchip X12-Plus and Rockchip X88-Pro-10 – references that can be found under other names, with circuits signed AllWinner and Rockchip.
It took a few months for Google to react to the discoveries of Daniel Milisic. Only a few days ago, the American giant published an explanation on its support pages to clarify the situation of these boxes that are potentially dangerous for user safety. Thus, the firm indicates that some boxes are powered by Android Open Source Project. It’s a free version of Android designed for developers to adapt and tweak as they see fit. And Google to specify that these boxes are ” marketed to appear as Android TV OS devices. Some of them may also come with Google apps and the Play Store that are not licensed by Google, which means these devices are not Play Protect certified. “. In other words, there is deception on the goods. These boxes bearing the name Android TV do not have Google certification and use a version of the Play Store, Google’s online app store, without the license and therefore without the Play Protect virus and malware protection system which guarantees that the downloaded apps have been tested and validated by Google.As a result, the box is able to download anything and everything without the user don’t be warned.
Also, to see more clearly, the firm has drawn up the list partners it works with who abide by the famously strict security and privacy policies it has set (go to the bottom of the page for the full list). There are, for example, brands such as Xiaomi, Anker and Thomson. In addition, Google invites users with doubts about the hardware to carry out a fairly simple check consisting of ensuring that the version of the Play Store in place benefits from Play Protect certification. To do this, simply open the Play Store on the Android TV box. Tap your profile icon and then tap Play Protect. A green tick should then appear to indicate that the device is certified. If not, Google urges you to contact the manufacturer to provide you with a certified device (good luck).
Android TV box: favor well-known brands
The investigations of Daniel Milisic and Bill Budington shed light on the dangers posed by the many Android TV boxes of unknown brands marketed at low prices on the shelves of major online stores. Their firmware can be modified at any time, both in the production chain and in the distribution circuit. Such an infected box, connected to the home network and the Internet, could discreetly siphon off a lot of personal data. If you wish to acquire a device of this type, it is therefore advisable, if possible, to opt for a model from a reputable brand which does not content itself with affixing its logo and carries out checks. It will probably cost you a little more upfront, but you can use it with peace of mind.