Android TV-based streaming set-top boxes based on AllWinner H616 and H618 Quadcore chips and available for purchase through Amazon and AliExpress were found to be pre-configured with malware which, in turn, exposes users to further malware. According to reports, boxes branded AllWinner, T95 and RockChip are carriers.
The pre-installed malware connects the box to a malicious botnet of infected devices and changes device settings to enable outside attackers to run commands and install further apps on the device. The box is configured with the Android Debug Bridge (ADB) open, which enables attackers to run background processes on the device to connect with multiple command-and-control servers.
An analysis by a Reddit poster (link) found the box to be contacting “many known, active malware addresses.” After inspecting DNS requests made by the malware, he succeeded in getting the host of some of the command-and-control servers to shut them down. He also contacted the chip maker, which confirmed the presence of a logging tool used by the malware.
What can be done?
Using a utility called Pi-hole, an ad- and tracker-blocking app for Linux, the Redditor changed the DNS addresses of the malware’s command and control server and redirected all DNS in the malware to a dead-end address. However, he found this to be just partially effective and implored any affected users to “impale (the device) with a long screwdriver and toss this Amazon-supplied malware-tainted bomb in the garbage where it belongs.”
Or, better yet, don’t purchase cheap Android boxes online, as they are likely to be un-trustworthy.
Further reading
Android TV Boxes Sold on Amazon Come Pre-loaded with Malware. Article. by Bill Buddington. May 10, 2023. Electronic Frontier Foundation
T95 Android TV (Allwinner H616) includes malware right out-of-the-box. Post by desktopecho. Edited April 18, 2023. Reddit > Android.
Lemon Group’s Cybercriminal Business Built on Preinfected devices. Article. By Fyodor Yarochkin, Zhengyu Dong, Paul Pajares.
Potentially millions of Android TVs and phones come with malware preinstalled. Article. By Dan Goodin. May 18, 2023. Ars Technica.
Why it matters
The fact that these devices are sold through Amazon to this day is ironic, as they serve not only to undermine Amazon’s own Prime Video service, but in this case, could potentially tarnish Amazon’s broader reputation as a trusted retailer.
It’s incumbent on device retailers to put a resource in place that can perform a due-diligence technical evaluation before putting placing them on the store shelves. And certainly Amazon can afford to do so.
Streaming boxes from unknown suppliers have long been vectors for attacks against consumers, as well as being avenues to deliver stolen content and services. Consumers are best served by avoiding them.
For developers of (legitimate) apps, a Dev-Sec-Ops approach is critical toward reducing the likelihood of reverse engineering, exposure of secret keys and data, or penetration that enables the attacker to steal content or services through ‘open doors’ in the app. A zero-trust approach ensures that every service interaction is authenticated, even for those interactions that take place within an app.
