Just because you bought a brand new Android TV box doesn’t mean the device is malware free and safe to use. In fact, there are tens of thousands of Android-powered endpoints that come with backdoors.
This is evident from a new report by cybersecurity experts Human safety which claims that seven TV boxes, the T95, T95Z, T95MAX, X88, Q9,
When the victim purchases the device and turns it on, Badbox activates, contacts the command & control (C2) server, and then pulls out the phase-two malware it needs to download.
Supply chain issues
The total number of victims is difficult to determine, the researchers said, but they identified at least 74,000 Android mobile phones, tablets and connected TV boxes that were infected.
How these devices ended up with malware is anyone’s guess, but researchers speculate that this was not the manufacturer’s intention. Instead, it’s likely that somewhere in the development chain a third party was compromised and its access to the devices in production was abused to deliver the downloader.
“This is a truly distributed way to commit fraud,” said Gavin Reid, CISO of Human Security Wired. Police have been informed of the findings, he added.
There is no word on the identity of the attackers, but Human Security says there are hackers offering ad fraud, fake Gmail and WhatsApp accounts, and remote code installation. These threat actors also provide access to residential networks, for a price. They claim they have “millions of mobile IP addresses” to work with
“You can see these Badboxes as a kind of sleeping cells. They just sit there waiting for instruction sets,” Reid told the publication.
This isn’t the first time researchers have raised alarms about these TV boxes, as cybersecurity researcher Daniel Milisic warned consumers about T95 and other models months ago.