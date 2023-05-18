



AllWinner and RockChip may not be household names, but the two China-based companies power some very popular Android TV boxes for sale on Amazon.

These Android-powered TV set-top boxes are typically inexpensive and highly customizable, packing multiple streaming services into one device rather than buying separate hardware. Their product listing on Amazon boasts a 4 out of 5 star rating and collectively amasses thousands of laudatory reviews.

But security researchers say those models are sold preloaded with malware that can launch coordinated cyberattacks.

Last year, Daniel Milisic purchased an AllWinner T95 set-top box and discovered that the chip’s firmware was infected with malware. Milisic found that Android-powered set-top boxes communicated with command-and-control servers, waiting for instructions on what to do next. In an ongoing study he published on his GitHub, his T95 his model is a large number of thousands of his Android TV boxes infected with other malware in homes and offices around the world. It turned out to be quickly connected to a large botnet.

The default payload of the malware, Milisik said, is a clickbot, essentially code that generates ad revenue by surreptitiously tapping ads in the background. As soon as the affected Android TV box is powered on, the preloaded malware connects to the command and control server to obtain instructions on where to find the required malware, and to perform additional ad click fraud on the device. Pull the payload.

“But the way the malware is designed allows the authors to push out whatever payload they want,” Milisich told TechCrunch.

EFF security researcher Bill Budington also independently confirmed Milisic’s findings after purchasing the affected device from Amazon. Several other AllWinner and RockChip Android TV models are also preloaded with malware, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.

Botnets typically consist of hundreds, if not thousands, of compromised devices around the world. The operators behind botnets can use this vast malicious network to mine cryptocurrency on affected devices or to extract data (if any) from the devices and the networks they are connected to. or use the Internet bandwidth of these devices to attack other websites and Internet servers. Junk his traffic, known as a distributed denial of service attack, to be taken offline.

Milisic asked Internet companies hosting command-and-control servers that were directing a widespread botnet to take those servers offline, and the servers hosting the ad-clicking malware were quickly taken down. disappeared in However, he warned that botnets could respawn with new infrastructure at any time.

It is unknown how large the botnet is. The scale of this network is difficult to quantify,” Buddington told TechCrunch. “What we do know is that everywhere we look there are different variants of Android Trojan malware, downloading next-stage malware from the same set of IPs and having been involved in supply chain attacks in the past. It’s an impressive and unsettling maneuver.”

Milisic and Budington point out that there is no easy way to remove malware for the average user. For affected users, ditching the box entirely may be the best option.

“I think the only way to mitigate this problem is to hold retailers to higher standards,” Milisic told TechCrunch. Referring to online sellers like Amazon, it said, “While we are not allowed to sell children’s toys made from spinning razor blades, we are not allowed to sell computers that operate maliciously without the owner’s knowledge or permission.” Why are small, unknown distributors allowed to sell?”

Speaking to TechCrunch, Amazon spokesperson Adam Montgomery declined to say whether Amazon is reviewing the security of the devices it sells or plans to remove devices containing the malware in question from sale. avoided.

AllWinner and RockChip did not respond to requests for comment.

Efforts have been made in recent years to raise the standard for hardware security. The Biden administration will roll out a labeling system for internet-connected devices this year as part of an effort to encourage device makers to improve the security of their devices, including adding update mechanisms to fix security flaws. said he planned to In 2018, California passed a law banning Internet-connected devices from using default, easy-to-guess passwords. This password is often used by malicious parties to hack devices into botnets.

At the time of this writing, the affected AllWinner and RockChip models are still available on Amazon.

Sources 1/ https://Google.com/ 2/ https://techcrunch.com/2023/05/18/popular-android-tv-boxes-sold-on-amazon-are-laced-with-malware/

