Just because you bought a brand new Android TV box, that doesn’t mean the device is clean from malware and safe to use. In fact, there are tens of thousands of Android-powered endpoints out there that are being shipped with backdoors.
This is according to a new report from cybersecurity experts Human Security which claims that seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W, are all being shipped with Badbox, a downloader based on the Triada malware.
When the victim buys the device and turns it on, Badbox activates, reaches out to its command & control (C2) server, and then pulls whatever stage-two malware it is told to download.
Supply chain woes
The total number of victims is hard to determine, the researchers said, but they identified at least 74,000 Android mobile phones, tablets, and connected TV boxes that are infected.
How these devices ended up with malware is anyone’s guess, but the researchers speculate that wasn’t the manufacturer’s intent. Instead, it’s likely that somewhere in the development chain, a third party got compromised and its access to the devices in production abused to deliver the downloader.
“This is a truly distributed way of doing fraud,” Human Security’s CISO, Gavin Reid, told Wired. The police have been briefed on the findings, he added.
There’s no word on the identity of the attackers, however Human Security said there are hackers out there offering advertising fraud, fake Gmail and WhatsApp accounts, and remote code installation. These threat actors are also offering access to residential networks, for a price. They claim to have “millions of mobile IP addresses” to work with
“You can think of these Badboxes as kind of like sleeper cells. They’re just sitting there waiting for instruction sets,” Reid told the publication.
This is not the first time researchers have sounded the alarm on these TV boxes, as cybersecurity researcher Daniel Milisic was warning consumers about T95 and other models months ago.