Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Android Google Television

1.3 Million Android-Based TV Boxes Backdoored; Researchers Still Don't Know How (arstechnica.com) 28

An anonymous reader quotes a report from Ars Technica: Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.
"These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."

Users can confirm if their device runs Android TV OS via this link and following the steps here.
This discussion has been archived. No new comments can be posted.

1.3 Million Android-Based TV Boxes Backdoored; Researchers Still Don't Know How

Comments Filter:
  • Bad engineering. In this case by the device makers. Seriously. We have reached a point where the details hardly matter. It is a fundamental problem. Unless and until we start mandating actually competent engineering in the IT space (liability for damage, engineering standards or no sale to the general public, prohibited use of non-qualified personnel, etc.) this will just get worse and worse.

    • Re: (Score:2, Offtopic)

      by ls671 ( 1122017 )

      Bad engineering...

      More like over-engineering IMHO. Plenty of devices really don't need to be smart and have a programmable computer inside them so no competent engineering in the IT space would be required at all.

  • by rtkluttz ( 244325 ) on Friday September 13, 2024 @07:48PM (#64786679) Homepage

    Stop the BS of insisting the closed ecosystem makes it safer. Google watching it in the play store makes it no safer than anything else. Plain and simple this is an unpatched exploit that more eyes would have found. We have to stop this bullshit of creating FUD that closed ecosystems are anything other than bad. No company should retain more control of a device than the owner of that device... period. From cell phones, to PC's to connected devices all the way up to automobiles. And fact be known, it should always be possible to keep your device or its data airgapped from the internet if you so choose and keep your data 100% local.

    • Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

      Stop the BS of insisting the closed ecosystem makes it safer. Google watching it in the play store makes it no safer than anything else. Plain and simple this is an unpatched exploit that more eyes would have found.

      As TFS says, we don't yet know what the vector was. As some have suggested in this discussion, maybe these units came pre-backdoored. And it is possible that Play Protect or whatever they're calling it would have prevented this, which we'll never know.

      • Play Protect is only available on commercial devices which have paid their licensing fees to Google, and have passed CTS. You the end user can install it manually, but it's not going to be accepted immediately by Google. (You'll need to login to Google on another device, drop deep into the settings and put in a specific hexstring dumped from the Play Store.) In any case, these devices were built by their manufacturers with the explicit intent of not paying Google's fees or passing CTS to keep costs down.

        C
        • TL;DR: That's not happening. Play Protect wouldn't have done anything in this case.

          Play Protect DIDN'T do anything in this case, not WOULDN'T HAVE. In order for it to be active, several other things would have had to be different, yes. That's completely irrelevant to the argument. Also, as you yourself say is is possible to enable it on such devices. You literally laid out how its done in your tweet, except for providing the useful details of course.

          Your take is dumb, we know it's dumb because it contained all the details needed to know how dumb it was, so you should feel doubly dumb.

  • by caseih ( 160668 ) on Friday September 13, 2024 @09:04PM (#64786763)

    Isn't it most likely these devices came from the factory with malware installed in the firmware image? None of these devices I've ever heard of before, and none of them seem to have google apps on them. I always thought most android devices coming out of China with generic Android images on them (with no play store) are rather suspect for malware and anyone that buys them should plan to blow the firmware away and put something more trustworthy on them.

    • by Al_Lapalme ( 698542 ) on Friday September 13, 2024 @09:37PM (#64786815)

      My thoughts exactly. A few years ago I bought an Android box for the tv from Amazon. It was named something like m6 or m8,..
      Anyway, we set up Netflix on the box and days later I was emailed by Netflix saying my account had been accessed from a foreign country. These boxes are coming pre-infected.

      • by olmsfam ( 1399493 ) on Friday September 13, 2024 @10:42PM (#64786891)

        Linus tech tips actually exposed this like a year or more ago. https://youtu.be/1vpepaQ-VQQ?t... [youtu.be]

        • Wow - just hit me how easy of a scam this would be and feel kind of silly for not thinking of it before (not that I’d exploit it) - sell a dirt cheap (even below cost) set top box pre-loaded with free android OS and crappy free streaming apps, and potentially millions will plug it into their home network and watch Tubi for free (which can be done with anything). I could program such a thing on a Saturday, probably even have the HDMI and whatnot connections designed for a factory by Sunday. What a gapi
          • To be fair (to myself lol), the reason I never thought of this is it would never occur to me to plug some fly by night Chinese hardware into my network. Only things I’ll plug in there come from major US corps I can sue the living fuck out of if I found something similar.
  • But they don't way what it is, and searching the model numbers just shows other news articles about the same malware.

    Is this like an Alibababba device?
  • I still live pretty simply. Buy TV. Never connect it to internet.
    Buy disposable somethingrather. Use it.

    When disposable roku streambar stick puck whatever is compromised I simply throw it away. The minute you hook your tv directly to all the virus distribution platforms now you have to throw away the tv.

  • Jellyfin has a big problem on Android TV where you can't run your own internal CA because without GUI support they have to go in /sys and you have to be rooted to write there.

    It takes away from the allure of running your own secure infrastructure.

    It would be cool if someone wrote an exploit TLS certificate installer to automate the process for users.

    Or if Google would get with the program, but exploiting seems more likely.

    • There used to be cert installers for android. Google broke them when they made /system unable to be rewritten while the OS was running, and never provided a proper alternative. (Yes, you can install a CA cert from settings, but doing so will give you a permanent non-dismissable scare notification and it can be ignored explicitly by apps.)

      There does appear to be some more modern injectors for newer versions of android out there. (Probably altering the list, or installing hooks into the verification code in
  • Only solution is never to connect your TV to the net or to your LAN. Instead run Kodi on barebones linux from a cheap SFF, maybe Pi, add a usb TV tuner. Or maybe the KDE TV package. Just use the TV as display. Haven't done this yet, at the moment I just keep ignoring the requests from the latest smart tv to complete the installation process. No thanks. All these guys want to do is collect as much data on you as possible, send it to some country where there are no restrictions on data protection, and

  • outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022,

    7.1, and 10.1 definitely. But 12.1 was released two years ago. I'd wager there's still devices being sold if not manufactured by big name brands that run it. Hell, google's own policy is that they have 3 year support window. (And newer devices have 7 years.)

    I don't think age had much to do with it. (At least for the 12.1 devices.)

  • My website was hit by a deluge of HTTP hits at the end of 2023.

    Had to block nearly 380,000 IPs to survive.

    They all came with only a set of 4 old/obsolete Pixel/Android/iPhone 11 User-Agents, obviously bogus.
    All hits came from English-speaking countries (US, CA, AU, NZ, UK, IR, etc.) and from home internet boxes.

    Similar pattern of compromised boxset/apps/devices?

If you didn't have to work so hard, you'd have more time to be depressed.

Working...