Android TV Boxes Sold on Amazon Come Pre-Loaded with Malware

/in


Certain Android TV Box models from manufacturers AllWinner and RockChip, available for purchase on Amazon, come pre-loaded with malware from the BianLian family, a variant of which we investigated last year. The malware, discovered by security researcher Daniel Milisic, adds your smart set-top box to a botnet for initiating coordinated attacks. Affected models include the AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10.

By looking at the traffic being sent by these devices, the researcher was surprised to find a number of DNS requests being sent for domains publically known to be botnet Command and Control (C&C) servers. The researcher also extracted a Stage-1 payload for the malware and contacted Linode, who had been hosting some of the C&C servers, getting them to shut them down. Having reached out to AllWinner, the researcher received a response denying the presence of malware and attributing the malicious traffic observed to the presence of Logcat on the system—a fact which is wholly unrelated. EFF was able to independently confirm the researcher’s findings.

What’s more, the T95 smart set-top box came out-of-the-box with the Android Debugger (adb) wide open and available over WiFi. The Android Debugger gives access to control a device, including issuing commands and installing apps. The device firmware was signed with a testing key, and no clean or production-ready firmware was made available to consumers. Without access to a clean version of the system firmware, consumers are left without a clear way to clean their system of the malware.

The widespread availability of these low-end devices present a danger to consumers, their networks, and the security and stability of the internet at large. Though it would be impractical to conduct a thorough security audit for all merchandise sold on Amazon, a more thorough vetting process could be introduced before selling consumer-grade IoT devices. For instance, a basic network analysis would have found these devices communicating with C&C servers and having wide-open adb ports.

The sale of these devices reveals some glaring holes in public cybersecurity infrastructure. The devices, manufactured by…

Source…