Over 200 models of Android TV Boxes are infected with malware

Android TV boxes have long been a favoured place for threat actors to hide malware and compromise users’ networks. However, a new report from cybersecurity firm Human Security suggests that this issue may be more widespread than previously thought, as they have discovered a staggering 74,000 Android mobile phones, tablets, and connected TV boxes infected with malware, putting users’ data and privacy at risk.

According to the report, most of the infected Android TV boxes come preloaded with the Triada malware, which is capable of executing a wide range of functions, including ad fraud, creating fake accounts on platforms like Gmail and WhatsApp, and selling access to home networks. Additionally, the fact that the malware is present on over 200 models of Android TV boxes suggests a highly widespread operation. Out of all the models, the report specifically highlights eight devices as major carriers, including seven TV boxes—T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G—and a tablet, J5-W.

“They’re like a Swiss Army knife of doing bad things on the internet,” said Gavin Reid, Human Security’s CISO.

So, how does the operation work?

While it’s impossible to pinpoint the exact method threat actors use to install malware, it is clear that these infected devices are manufactured in China, and somewhere along the supply chain, presumably before reaching resellers, threat actors install the notorious malware. These backdoors operate through a global network, and once a user plugs the device into their TV, it establishes a connection with a command-and-control server in China, downloads an instruction set, and initiates various malicious activities.

As explained by Reid, these Android TV boxes act as sleeper cells, laying dormant until activated by external commands. Furthermore, the threat actors have access to millions of mobile IP addresses and sell access to residential networks as part of their operations.

“They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point in time. It’s easy for them to infiltrate the supply chain, and for manufacturers, it’s really difficult to detect,” said security researcher Fyodor Yarochkin.