1.3 Million Android-Based TV Boxes Backdoored; Researchers Still Don't Know How (arstechnica.com) 28
An anonymous reader quotes a report from Ars Technica: Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.
Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].
One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user. "These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."
Users can confirm if their device runs Android TV OS via this link and following the steps here.
Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].
One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user. "These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."
Users can confirm if their device runs Android TV OS via this link and following the steps here.
Re: (Score:2)
It's always a very smart idea to put a hackable computer in anything that doesn't need a computer and all computers are hackable. I have been coding and managing systems for years and I don't own any smart anything excepted a phone I seldom use and which has no apps installed and which I don't use for any form of transactions. Signage display to watch movies, etc...
YAGNI applies - you ain't gonna need it (Score:2)
Liking tech and all is OK, though jumping on and 'have to have it for bragging rights' dozens of internet connected devices is a waste.
Live simpler, use less electricity, have less disposable internet devices, consume less, order one less box from Amazon each year, ...
Simple as waiting 2 extra months before getting a new phone would be a huge improvement. Otherwise, we are all on this treadmill for the 1%, mindlessly fighting over scraps, political infighting among ourselves
all the while rights, liberties,
Pretty clear (Score:2)
Bad engineering. In this case by the device makers. Seriously. We have reached a point where the details hardly matter. It is a fundamental problem. Unless and until we start mandating actually competent engineering in the IT space (liability for damage, engineering standards or no sale to the general public, prohibited use of non-qualified personnel, etc.) this will just get worse and worse.
Re: (Score:2, Offtopic)
Bad engineering...
More like over-engineering IMHO. Plenty of devices really don't need to be smart and have a programmable computer inside them so no competent engineering in the IT space would be required at all.
Re: (Score:2)
That too.
Come on now... stop the BS (Score:4, Insightful)
Stop the BS of insisting the closed ecosystem makes it safer. Google watching it in the play store makes it no safer than anything else. Plain and simple this is an unpatched exploit that more eyes would have found. We have to stop this bullshit of creating FUD that closed ecosystems are anything other than bad. No company should retain more control of a device than the owner of that device... period. From cell phones, to PC's to connected devices all the way up to automobiles. And fact be known, it should always be possible to keep your device or its data airgapped from the internet if you so choose and keep your data 100% local.
Re: (Score:3)
Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.
Stop the BS of insisting the closed ecosystem makes it safer. Google watching it in the play store makes it no safer than anything else. Plain and simple this is an unpatched exploit that more eyes would have found.
As TFS says, we don't yet know what the vector was. As some have suggested in this discussion, maybe these units came pre-backdoored. And it is possible that Play Protect or whatever they're calling it would have prevented this, which we'll never know.
Re: (Score:2)
C
Re: (Score:2)
TL;DR: That's not happening. Play Protect wouldn't have done anything in this case.
Play Protect DIDN'T do anything in this case, not WOULDN'T HAVE. In order for it to be active, several other things would have had to be different, yes. That's completely irrelevant to the argument. Also, as you yourself say is is possible to enable it on such devices. You literally laid out how its done in your tweet, except for providing the useful details of course.
Your take is dumb, we know it's dumb because it contained all the details needed to know how dumb it was, so you should feel doubly dumb.
Infected from the factory (Score:5, Interesting)
Isn't it most likely these devices came from the factory with malware installed in the firmware image? None of these devices I've ever heard of before, and none of them seem to have google apps on them. I always thought most android devices coming out of China with generic Android images on them (with no play store) are rather suspect for malware and anyone that buys them should plan to blow the firmware away and put something more trustworthy on them.
Re: Infected from the factory (Score:5, Informative)
My thoughts exactly. A few years ago I bought an Android box for the tv from Amazon. It was named something like m6 or m8,..
Anyway, we set up Netflix on the box and days later I was emailed by Netflix saying my account had been accessed from a foreign country. These boxes are coming pre-infected.
Re: Infected from the factory (Score:4, Interesting)
Linus tech tips actually exposed this like a year or more ago. https://youtu.be/1vpepaQ-VQQ?t... [youtu.be]
Re: (Score:2)
Re: (Score:2)
There must be some kind of name branded on these. (Score:2)
Is this like an Alibababba device?
Of course it was supply chain (Score:2)
I still live pretty simply. Buy TV. Never connect it to internet.
Buy disposable somethingrather. Use it.
When disposable roku streambar stick puck whatever is compromised I simply throw it away. The minute you hook your tv directly to all the virus distribution platforms now you have to throw away the tv.
Re: (Score:2)
Shouldn't you be out defending cats against immigrant hordes? Maybe we could mobilize Jewish space lasers against them, yes?
Re: (Score:2)
TLS Fix? (Score:2)
Jellyfin has a big problem on Android TV where you can't run your own internal CA because without GUI support they have to go in /sys and you have to be rooted to write there.
It takes away from the allure of running your own secure infrastructure.
It would be cool if someone wrote an exploit TLS certificate installer to automate the process for users.
Or if Google would get with the program, but exploiting seems more likely.
Re: (Score:2)
There does appear to be some more modern injectors for newer versions of android out there. (Probably altering the list, or installing hooks into the verification code in
Only solution (Score:2)
Only solution is never to connect your TV to the net or to your LAN. Instead run Kodi on barebones linux from a cheap SFF, maybe Pi, add a usb TV tuner. Or maybe the KDE TV package. Just use the TV as display. Haven't done this yet, at the moment I just keep ignoring the requests from the latest smart tv to complete the installation process. No thanks. All these guys want to do is collect as much data on you as possible, send it to some country where there are no restrictions on data protection, and
Outdated? (Score:2)
outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022,
7.1, and 10.1 definitely. But 12.1 was released two years ago. I'd wager there's still devices being sold if not manufactured by big name brands that run it. Hell, google's own policy is that they have 3 year support window. (And newer devices have 7 years.)
I don't think age had much to do with it. (At least for the 12.1 devices.)
Trere must be others (Score:1)
My website was hit by a deluge of HTTP hits at the end of 2023.
Had to block nearly 380,000 IPs to survive.
They all came with only a set of 4 old/obsolete Pixel/Android/iPhone 11 User-Agents, obviously bogus.
All hits came from English-speaking countries (US, CA, AU, NZ, UK, IR, etc.) and from home internet boxes.
Similar pattern of compromised boxset/apps/devices?