Thursday, March 28, 2024
HomeSECURITYChinese Android TV boxes sold with malware pre-installed

Chinese Android TV boxes sold with malware pre-installed

-


Chinese Android TV boxes sold with malware pre-installed

DDoS attacks, mining and data theft – is buying a cheap TV box worth the consequences?

Several popular Android TV boxes that are currently sold on Amazon, right out of the box contain malware that can perform a whole range of malicious activities. This was reported by independent security researchers.

Android TV boxes allow users to watch various streaming content from popular platforms, as well as install third-party software that gives them access to mountains of free content. Such consoles are relatively cheap and are very popular in the CIS countries.

The Chinese companies AllWinner and RockChip may not be known to the general public, but their products have high ratings and thousands of positive reviews on Amazon and AliExpress.

However, researchers have found that these particular set-top boxes are often sold with pre-installed malware that can connect them to a botnet, a network of infected devices that can be used to mine cryptocurrency, steal data, or organize DDoS attacks on other sites and servers.

Security researcher Daniel Milisic bought an AllWinner T95 for personal use and quickly discovered that the device’s firmware has been infected with malware. Milisich found out that the set-top box immediately after switching on contacted the C2 servers and received instructions from them.

The investigation that Milisic published on GitHubshowed that the T95 set-top box model he purchased was part of a large botnet of thousands of other infected set-top boxes in homes and work offices around the world.

The researcher said that the main task of the embedded malware is a clickbot. That is, code that generates ad revenue by discreetly clicking on ads in the background. “But because of the way malware is designed, its authors can submit any code,” Milisic said.

Bill Budington, security researcher from EFF, independently confirmed Milisic’s findings after also purchasing an infected device from Amazon. Several other AllWinner and RockChip models also contain pre-installed malware, including AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.

It’s funny that these particular models of set-top boxes are extremely common in Russia and other CIS countries, as they are sold in huge quantities on AliExpress. It is not clear who is responsible for installing the malware, the manufacturer or a specific seller on Amazon, but ordering similar set-top boxes for personal use should be done with great care.

And if the purchase has already taken place, it is worth checking the device for viruses with special software and removing it, if possible. As an alternative, the set-top box can be flashed to a safer version of the software, since there are a lot of such firmware on various Russian-language forums for enthusiasts.

Milisic was able to contact an internet company that was hosting malicious servers to control the botnet, and it soon shut them down. However, the researcher warned that the botnet could return at any moment with new infrastructure.

“It is not known how big the botnet is. It is difficult to estimate the scale of this network. What we know for sure is that wherever we look, we see different variants of Android trojans that download the next stage of malware from the same set of IP addresses that were previously implicated in supply chain attacks. . This is an impressive and disturbing operation,” said Bill Badington.

At the time of publication of the news, the infected AllWinner and RockChip models are still available for sale on Amazon.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular