A cybersecurity expert has recently exposed a widespread malware infection plaguing highly sought-after Android TV boxes sold online.
The revelation comes from cybersecurity researcher Daniel Milisic, who stumbled upon this menacing threat. Quietly operating in the background, this malware stealthily generates illicit revenue for attackers by engaging in covert ad-clicking activities.
The discovery of these infected devices has ignited concerns over the security of consumer electronics and the ease with which malware can infiltrate unsuspecting households.
Malware-Infected Android TV Box
TechCrunch tells us that Milisic's investigation commenced when he purchased an AllWinner T95 Android TV box, a product highly praised and readily available on the Amazon marketplace.
Priced at an affordable $40, the T95 entices consumers with its array of streaming services and customizable features, making it an attractive choice for home entertainment buffs.
However, Milisic's excitement quickly turned to dismay as he unearthed a startling truth. Unknown to its users, the TV box communicated covertly with a command and control (C2) server, eagerly awaiting instructions to download stage-two malware specifically designed to carry out ad-click fraud.
Similar Malware on Other Android TV Box Models
The gravity of Milisic's findings, shared on GitHub, resonated with other experts in the field, including the esteemed EFF security researcher Bill Budington.
Budington confirmed the presence of similar malware on other Android TV box models, such as the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.
These troubling discoveries indicate that the malware infection extends beyond a single device and encompasses various Android TV box products.
A Network of Infected Android TV Boxes
TechCrunch tells us that the infected Android TV boxes constitute a sizable botnet, with countless compromised devices scattered across the globe.
Once powered on, these devices establish connections with C2 servers to receive instructions for executing ad-click fraud and downloading additional malicious payloads.
Milisic promptly contacted the internet company hosting the C2 servers, leading to their swift shutdown. However, he cautions that threat actors can easily relocate their operations to new servers, making it arduous to fully eliminate the impact of this malware.
Bill Budington expressed shock at the sheer magnitude and complexity of this operation, emphasizing the difficulty in gauging the true scale of the botnet.
The researchers note that they have encountered different variants of Android trojan malware, downloading subsequent stages of malware from the same set of IPs linked to previous supply-chain attacks. The vast scope and sophistication of this operation are both impressive and unsettling.
An Alarming Reality
One troubling aspect highlighted by the researchers is the lack of awareness and technical expertise among average users to identify and remove such malware from their TV boxes.
Consequently, the experts recommend that affected users consider replacing their devices with more reputable alternatives.
Furthermore, they stress the need for resellers to shoulder greater responsibility and exercise due diligence when selling hardware, thereby preventing unwitting customers from falling victim to malicious activities.
As for Amazon, the retail giant has prohibited the sale of malware and other related products on the site.
Amazon ads lists "Malware, scareware, or spyware." in its Restricted Products section. Meanwhile, Amazon seller central notes that only products that do not interfere with other electronics can be sold on the platform.
Stay posted here at Tech Times.
Related Article: Beware of Romance Phishing Scams, Australian Competition Regulator Warns
