Jan 13 – In Canada, a security consultant discovered that an Android TV box, which was purchased from Amazon, arrived pre-loaded with malware baked into its firmware.
The malware was identified by Daniel Milisic, who created a script and instructions that assisted users in stopping the payload.
The untrustworthy TV is known as the T95 Android TV box and it has an AllWinner T616 processor. It’s widely available on platforms like Amazon, AliExpress and through other major e-commerce retailers.
At present, it remains unclear as to whether this device represented an edge-case, or if all devices from this model or brand include the malicious component.
Malware on the TV streaming box
The T95 streaming device relies on an Android 10-based ROM signed with test keys and the ADB (Android Debug Bridge) over open Ethernet and WiFi.
This represents a suspicious configuration, as ADB can be used for purposes of connecting to devices for unrestricted filesystem access, command execution, software installation, modification and remote control.
Yet, because the majority of consumer streaming services sit behind a firewall, cyber adversaries likely will not be able to connect to ADB remotely.
The malware on the device
Milisic believes that the malware on the device is related to ‘CopyCat,’ a sophisticated Android malware that was first discovered by Check Point in 2017. Previously, the malware had been spotted in an adware campaign. At that point in time, it infected 14 million Android devices, generating over $1,500,000 in profits for the operators.
The electronics market
Inexpensive Android-based TV box devices tend to move along an obscure route from manufacturing to global market availability.
In a large number of instances, the devices are sold under multiple brands and device names. It’s not always possible to trace their point of origination.
Further, as the devices are moved along the supply chain and then through the vendor and reseller market, handlers have several opportunities to load custom ROMs on the devices, including potentially malicious ones.
To avoid the risk of malware on a new TV, consider purchasing a device from a reputable vendor, like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV and Roku Stick.
Lastly, to receive cutting-edge cyber security news, best practices and resources in your inbox each week, please sign up for the CyberTalk.org newsletter.