Amazon Sold Android TV Boxes Infected with Malware: Report

Security researchers have discovered some Android TV boxes sold on Amazon come preloaded with malware capable of launching coordinated cyberattacks, TechCrunch reports.

(Screenshot via TechCrunch)

These devices, powered by AllWinner and RockChip, are gaining popularity due to their affordability and customization options, offering a multitude of streaming services in one device.

Daniel Milisic, who purchased an AllWinner T95 set-top box last year, found malware within the chip’s firmware. Milisic’s investigation revealed that the infected device was communicating with command and control servers, awaiting instructions.

The researcher found that his T95 model was connected to a large botnet consisting of thousands of other malware-infected Android TV boxes globally.

The default payload of the malware is a clickbot, generating revenue by surreptitiously clicking on ads in the background, according to Milisic.

Once powered on, the malware immediately contacts the server to obtain instructions on where to find the necessary malware and pulls additional payloads to engage in ad-click fraud.

EFF security researcher Bill Budington independently verified Milisic’s findings by purchasing an affected device.

(AllWinner T95 via Eff.org)

Other AllWinner and RockChip Android TV models, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10, were also found to be preloaded with the malware.

Milisic took action by requesting the internet company hosting the command and control servers to take them offline, which resulted in the disappearance of the ad-click malware servers.

However, he cautioned that the botnet could resurface with new infrastructure at any time.

When approached by TechCrunch, Amazon declined to comment on whether they review the security of the devices they sell or if they plan to remove the malware-containing devices from their platform.

With AllWinner and RockChip Android TV boxes still available for purchase, do you think Amazon should continue allowing unknown vendors to sell such malicious devices?