AllWinner and RockChip might not be household names, but the two China-based companies power several wildly popular Android TV boxes that are sold on Amazon.
These Android-powered television set-top boxes are typically cheap and are highly customizable, packing several streaming services into a single device, rather than buying separate hardware. Their listings on Amazon boast four-out-of-five star ratings and collectively racked up thousands of praiseworthy reviews.
But security researchers say the models are sold preloaded with malware capable of launching coordinated cyberattacks.
Last year, Daniel Milisic bought an AllWinner T95 set-top box and discovered the chip's firmware was infected with malware. Milisic found that the Android-powered set-top box was communicating with command and control servers and awaiting instructions on what to do next. His ongoing investigation, which he published on GitHub, found that his T95 model was out-of-the-box connecting to a larger botnet of thousands of other malware-infected Android TV boxes in homes and offices across the globe.
Milisic said the malware's default payload is a clickbot, essentially code that generates ad money by surreptitiously tapping on ads in the background. After the affected Android TV boxes are powered on, the preloaded malware immediately contacts a command and control server, obtains its instructions of where to find the malware it needs, and pulls additional payloads to the device that carries out the ad-click fraud.
"But because of the way the malware is designed, the authors can push out any payload they like," Milisic told TechCrunch.
EFF security researcher Bill Budington independently confirmed Milisic's findings after also buying an affected device from Amazon. Several other AllWinner and RockChip Android TV models are also preloaded with the malware, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10.
A screenshot of the AllWinner T95 listed on Amazon. Image Credits: TechCrunch (screenshot)
Botnets are usually made up of hundreds, if not thousands or millions, of compromised devices around the world. The operators behind the botnet can use this vast malicious network for mining cryptocurrency on an affected device, stealing data (if any) from the device or the network it's connected to or harnessing the collective internet bandwidth from these devices to pummel other websites and internet servers with junk traffic, known as a distributed denial-of-service attack, knocking them offline.
Milisic asked the internet company hosting the command and control servers that dished out instructions to the wider botnet to pull those servers offline, and the servers hosting the ad-click malware disappeared a short time after. He warned, though, that the botnet could come back at any time with new infrastructure.
It's not clear how large the botnet is. “It’s difficult to quantify the scale of this network," Budington told TechCrunch. "What we do know is that everywhere we look there are different variants of Android trojan malware downloading next-stage malware from the same set of IPs, ones that have been involved in supply-chain attacks in the past. It’s an impressive and unsettling operation."
Milisic and Budington note that there's no easy way to remove the malware for the average user. Throwing out the box altogether might be the best option for affected users.
"I think the only way to mitigate this problem is to hold retailers to a higher standard," Milisic told TechCrunch. Referring to online sellers like Amazon, "they're not allowed to sell children's toys made out of spinning razor blades, why is it OK to let small, unknown vendors sell computers acting maliciously without owners' knowledge and permission?"
When reached by TechCrunch, Amazon spokesperson Adam Montgomery declined to say if Amazon reviews the security of the devices it sells or if it plans to remove from sale the malware-containing devices in question.
AllWinner and RockChip did not return requests for comment.
There has been a push in recent years to improve the standards of hardware security. The Biden administration said it plans to roll out a labeling system for internet-connected devices this year as part of efforts to encourage device makers to improve their device security, such as adding update mechanisms to patch security flaws. In 2018, California passed a law that bans internet-connected devices from using default and easy-to-guess passwords, which bad actors often use to hack into devices and ensnare them into a botnet.
At the time of writing, the affected AllWinner and RockChip models are still available for sale on Amazon.