Cheap Chinese Android TV set-top boxes riddled with Badbox spyware (AV)

Earlier this year, researchers found most cheap Chinese Android TV set-top boxes or Dongles are riddled with spyware. These sell online and via marketplaces and inflict critical damage. Worse still is this has been happening since 2016!

These devices plug into a TV HDMI Port and add Android TV to your existing TV.

It has become so bad that Google has ceased using the name Android TV in favour of Google TV, which it controls via certification.

A few facts about Cheap Chinese Android TV set-top boxes

First, we are not referring to any licenced, certified Android TV (now Google TV) like Google Chromecast TV, NVIDIA Shield or TVs from Sony, TCL, etc. These devices use the Google Play Store, and apps are Play Protect Certified.

Cheap Chinese Android set-top boxes use Android Open-Source Project (AOSP) TV and sideloaded APK (Android Package Kit) Apps and sell for under $100, making them very appealing. eBay lists 3800+ results, Amazon has them, and China’s Alibaba lists 20,000+. Some are Google-certified (safe), but the vast majority are not.

You can only tell when you connect the system – it looks different to Google TV, and cannot access the Play Store. We are not saying all Chinese manufacturers are complicit in this. They buy template designs pre-infected with the Triada malware to satisfy a vast home market.

Security company Trend Micro says that one ‘bad actor’ claims to have a network of at least 20 million infected devices and two million active at any time.

What does the malware do?

Researchers have found the boxes all use a generic ARM processor and run modified ASOP Android TV. This downloads other malware via the internet. It cannot be removed – even a reboot and clean install sees it return.

Here are some of the things it can do. These can change immediately as the Command-and-Control malware servers download new malware and disruptive campaigns.

  • Hidden advertisements (you don’t see them, but the advertisers pay for the ‘clicks’). Human Security Researchers found that one bad actor made 4 billion ad requests daily.
  • Become part of the Mirai botnet to run DDOS (distributed denial of service) attacks to choke websites.
  • Email spam from spoofed addresses
  • Intercepts payment-related texts, one-time ID verification, and emails to redirect payment to them
  • Infiltrate home networks looking for banking details, documents, and contact lists and exfiltrating them to Chinese-based cybercriminals.
  • Installing Adups malware that steals data, keystrokes and infects other devices.
  • Residential proxy services (directing all internet traffic through the box for analysis) or making it look like you are a cybercriminal.
  • Creating fake Gmail and WhatsApp accounts using your IP and personal data.

It is everywhere

Trend Micro and other researchers have identified BadBox malware on Android TV, Android ASOP smartphones and Android ASOP Auto. A variant of PeachPit attacks iOS mobile phones and tablets.

What can you do?

If you have a Cheap Chinese Android TV set-top box and notice your internet is slow, abnormal behaviour such as sudden pop-ups, unexplained data usage, or performance issues, it could indicate a malware infection.

Look at the remote control – Google TV (L) has a distinct style where infected boxes have a generic control (R).

Unfortunately, there are no removal programs for users.

Trend Micro Device Security Ultimate – the black box protecting your home can detect unusual network activity and the device you must remove. In our tests, it immediately identified a cheap Chinese Android TV set-top box sent to us for review.

Unfortunately, BADBOX-infected devices are unsalvageable by an average user. Since the malware is located on a read-only (ROM) partition of the device firmware, the average user won’t be able to remove BADBOX from their product. As BADBOX affects almost all entirely lower-price-point, ‘off-brand’ devices, the Satori team recommends that users stick to familiar brands when choosing new devices.