Search results for

All search results
Best daily deals

Affiliate links on Android Authority may earn us a commission. Learn more.

Highly-rated Android TV boxes on Amazon found preloaded with malware

Maybe think twice next time before buying a cheap Android TV box.
By

Published onMay 19, 2023

TL;DR
  • Multiple highly-rated Android TV boxes sold on Amazon come pre-loaded with malware.
  • Thie malware is responsible for ad-click fraud and makes the Android TV boxes a part of a larger botnet of infected devices.

Findings of multiple security researchers have brought to light concerning security issues with cheap but highly rated Android TV boxes on Amazon. As reported by TechCrunch, researcher Daniel Milisic is conducting an ongoing investigation into malware-infected Android TV boxes sold by little-known brands like AllWinner and RockChip.

These brands might not be household names, but they sell multiple five-star rated low-cost Android TV set-top boxes on Amazon. Milisic bought an AllWinner T95 box last year and discovered that the firmware was infected.

Milisic found that the Android TV box, which dons an “Amazon’s Choice” badge on the online retailer’s website, was reporting to a command-and-control server capable of installing any app the malware makers want.

The T95 was connected to a larger botnet of thousands of other infected Android TV boxes

Moreover, the T95 was connected to a larger botnet of thousands of other infected Android TV boxes across the globe. The malware installed on the boxes is called clickbot. It is designed to secretly tap on ads in the background to generate revenue. Once the affected Android TV boxes are switched on, the malware contacts the command-and-control server, gets instructions, and pulls additional payloads to the device to carry out the ad-click fraud.

EFF security researcher Bill Budington also independently confirmed Milisic’s findings by buying an infected Android TV box from Amazon. AllWinner and RockChip Android TV models that come with pre-loaded malware include the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10. Other models could also be infected.

Thanks to Milisic’s intervention, the internet company hosting the command-and-control servers and the botnet has pulled the servers down. However, the researcher warns the botnet could spring up anytime again with new infrastructure.

Who is to blame?

“I think the only way to mitigate this problem is to hold retailers to a higher standard,” Milisic told TechCrunch. Referring to Amazon, he said, “They’re not allowed to sell children’s toys made out of spinning razor blades, why is it OK to let small, unknown vendors sell computers acting maliciously without owners’ knowledge and permission?”

Amazon, AllWinner, and RockChip remain silent on the findings.

So if you want to pick up an Android TV device from Amazon, ensure you’re buying one from a well-known brand such as Google or NVIDIA. The cheaper, more customizable options might seem more appealing but could compromise your data security and privacy.