Watch Out For These Malware-Infected Android TV Boxes

Compared to browsing through a physical storefront, looking for electronics online on sites like Amazon can tune you into some cheaper, off-brand alternatives to the major manufacturers. This is usually a good thing, getting you the kind of device you want with less bloat at a lower price tag, but as is often the case with good things, there are always bad actors taking advantage of them.

One recent example of this has arisen in the sale of off-brand Android TV streaming players. Since Android devices are open-source, including those that use Android TV OS, just about any brand can make their own Android TV. Unfortunately, several particularly popular models of Android TV, readily available on Amazon, have used the opportunity to sneak malware into consumers' homes, using their boxes as a vector to steal data, conduct digital crimes, and generally expose innocents to the worst parts of the internet.

A wolf in Android's clothing

According to a recent TechCrunch report, virulent malware has been found running rampant across two popular off-brand Android TV boxes that are sold on Amazon. The brands are AllWinner and RockChip, and the specific devices are the AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10. These devices seem very appealing at a glance, since they're cheaper than the major brands and allegedly offer extensive customizability. This is all a smokescreen, however.

Cybersecurity experts have found that the firmware in these Android TV boxes is infected with two kinds of malware. First, a clickbot, pulling up webpages from the dankest depths of the internet and clicking on ads to generate revenue, all while further infecting the device with malware loads from those ads. Secondly, a botnet network connection, connecting the device to a malicious network for purposes like mining cryptocurrency, conducting DDoS attacks, and of course, harvesting user data. The precise scale of this botnet network connection has not been determined, but it is estimated to be made up of anywhere from a few hundred to several thousand infected devices.

What should you do?

If you've purchased and used one of these devices, there is a distinct chance you've been exposed. While it is theoretically possible to manually remove the malware from the device and disconnect it from the botnet network, it would take some in-depth file scouring to do so properly. As such, the best option is to simply disconnect the device and, if you're outside your return window, trash it. If you logged into any apps or services using the infected box, you should change your passwords immediately and keep an eye out for any suspicious login attempts.

Unfortunately, not only are the affected boxes still listed for sale on Amazon, most of them maintain fairly high user ratings, consistently putting them closer to the top of search results. Short of advocating for higher retail standards, the only thing you can really do to protect yourself is to conduct additional research on any new devices before purchasing them. Perform searches outside of Amazon reviews, especially on user-run sites like Reddit, to see if any concerning reports have arisen about a particular device before you go all-in on it. While it may be more expensive, it may be in your best interest to stick to major brands for Android TV devices like Chromecast or NVIDIA Shield TV.