AllWinner and RockChip may not be household names, but the two China-based companies provide several wildly popular Android TV boxes that are sold on Amazon.
These Android-powered TV set-top boxes are usually inexpensive and highly customizable, packing several streaming services into a single device rather than buying separate hardware. Their listings on Amazon have four out of five stars and accumulated thousands of praiseworthy reviews.
But security researchers say the models are sold with pre-installed malware capable of conducting coordinated cyber-attacks.
Last year, Daniel Milisic bought an AllWinner T95 set-top box and discovered that the chip’s firmware was infected with malware. Milisian found it that the Android-powered set-top box was communicating with command and control servers and waiting for instructions on what to do next. His ongoing research, that he published on GitHubdiscovered that his T95 model connected out-of-the-box to a larger botnet of thousands of other malware-infected Android TV boxes in homes and offices around the world.
Milisic said the malware’s default payload is a clickbot, essentially code that generates ad money by surreptitiously tapping ads in the background. After the affected Android TV boxes are turned on, the preloaded malware immediately contacts a command and control server, gets instructions on where to find the malware, and pulls additional payloads into the device performing the ad click fraud.
“But because of the way the malware is designed, the authors can release any payload they want,” Milisic told TechCrunch.
EFF security researcher Bill Budington independently confirmed Milisic’s findings after he also bought an affected device from Amazon. Several other AllWinner and RockChip Android TV models are also preloaded with the malware, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.
A screenshot of the AllWinner T95 listed on Amazon. Image Credits: TechCrunch (screenshot)
Botnets usually consist of hundreds if not thousands or millions of compromised devices around the world. The operators behind the botnet can use this massive malicious network to mine cryptocurrency on an affected device, steal data (if any) from the device or network it is connected to, or leverage the collective internet bandwidth of these devices to pester other websites and internet servers with junk traffic, known as a distributed denial-of-service attack, taking them offline.
Milisic asked the internet company that hosts the command and control servers that handed out instructions to the wider botnet to take those servers offline, and the servers hosting the ad-click malware disappeared a short time after that. However, he warned that the botnet could come back with new infrastructure at any time.
It is not clear how large the botnet is. “It’s hard to quantify the size of this network,” Budington told TechCrunch. “What we do know is that everywhere we look there are different variants of Android Trojan malware downloading next-stage malware from the same set of IPs, which have historically been involved in supply chain attacks. It is an impressive and disturbing operation.”
Milisic and Budington note that there is no easy way for the average user to remove the malware. Throwing the box out altogether may be the best option for affected users.
“I think the only way to solve this problem is to hold retailers to a higher standard,” Milisic told TechCrunch. Referring to online sellers such as Amazon, “they are not allowed to sell children’s toys made from spinning razor blades. Why is it OK to let small, unknown sellers sell computers that act maliciously without the knowledge and consent of the owners?”
When TechCrunch reached out, Amazon spokesperson Adam Montgomery declined to say whether Amazon is reviewing the security of the devices it sells or plans to remove the malware-containing devices in question from sale.
AllWinner and RockChip have not returned requests for comment.
There has been pressure in recent years to improve hardware security standards. The Biden administration said it plans to roll out a labeling system for internet-connected devices this year as part of efforts to encourage device manufacturers to improve the security of their devices, such as adding update mechanisms to fix security flaws. In 2018, California passed a law prohibiting internet-connected devices from using standard, easy-to-guess passwords, which adversaries often use to hack into devices and ensnare them in a botnet.
At the time of writing, the affected AllWinner and RockChip models are still for sale on Amazon.
