Cheap Android TV Boxes Sending Information Back To China Sold In OZ
A massive problem has emerged for several TV brands who initially invested in Chinese Android TV software for set top boxes with more than 20 devices believed to be infected and capable of accessing users’ home networks.
Several of the iT95 boxes are currently being sold at Kogan, Amazon and eBay.
The issue identified back in May when a malware botnet was discovered on a set top box running Android TV, thousands of devices with this software were sold in Australia via online retailers and mainstream retailers.
Gavin Reid, CISO at Human Security, told Wired. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff.”
In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg.
These boxes run AOSP (Android Open-Source Project), not Google’s certified ‘Android TV’ or ‘Google TV’ such as Chromecast and Nvidia Shield, and that’s the problem – the open nature of AOSP.
You can identify these boxes by their modified user interface, which differs from the one mandated by Google for all official ‘Android TV’ or ‘Google TV’ devices.
Back in 2019 ChannelNews questioned Sydney Distributor Ayonz about the use of none authorised Android OS software in their Blaupunkt set top boxes and TV’s.
At this stage authorities have identified seven Android TV devices and one tablet with codes ending in T95, T95Z, T95MAX, X88, Q9, X12PLUS, MXQ Pro 5G, and J5-W as being a problem.
Manufactured in China, the devices came preloaded with the malware before they reach resellers.
Human Security claims that 80% were infected with Badbox.
They claimed that a backdoor alters a component of the Android operating system, enabling it to execute code and gain access to apps installed on the device.
“Human Security tracked multiple types of fraud linked to the compromised devices. This includes advertising fraud; residential proxy services, where the group behind the scheme sell access to your home network; the creation of fake Gmail and WhatsApp accounts using the connections; and remote code installation. Those behind the scheme were selling access to residential networks commercially, the company’s report says, claiming to have access to more than 10 million home IP addresses and 7 million mobile IP addresses,” reported Wired.
– “They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” Fyodor Yarochkin, a senior threat researcher at Trend Micro, told Wired.
– “You can think of these badboxes as kind of like sleeper cells. They’re just sitting there waiting for instruction sets,” Gavin Reid said to Wired. “Friends don’t let friends plug in weird IoT devices into their home networks.”
Another malware, referred to as ‘Peachpit’ by security researchers, though seemingly less harmful, appears to be funding the operation by showing hidden ads within apps. Human Security has identified 39 Android, iOS, and TV box apps affected by Peachpit.
The report indicates that Apple and Google are already addressing the issue.