1.3 Million Android-Based TV Boxes Backdoored; Researchers Still Don't Know How (arstechnica.com)
- Reference: 0174991607
- News link: https://it.slashdot.org/story/24/09/13/2117242/13-million-android-based-tv-boxes-backdoored-researchers-still-dont-know-how
- Source link: https://arstechnica.com/security/2024/09/researchers-still-dont-know-how-1-3-million-android-streaming-boxes-were-backdoored/
> Researchers still don't know the cause of a recently discovered malware infection [1]affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web [2]reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.
>
> Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].
>
> One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.
"These off-brand devices discovered to be infected were not [3]Play Protect certified Android devices ," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."
Users can confirm if their device runs Android TV OS via [4]this link and following the steps [5]here .
[1] https://arstechnica.com/security/2024/09/researchers-still-dont-know-how-1-3-million-android-streaming-boxes-were-backdoored/
[2] https://news.drweb.com/show/?i=14900&lng=en
[3] https://support.google.com/androidtv/thread/217840369/ensuring-your-android-tv-os-device-is-secure?hl=en
[4] https://www.android.com/tv/
[5] https://support.google.com/googleplay/answer/7165974
Pretty clear (Score:2)
Bad engineering. In this case by the device makers. Seriously. We have reached a point where the details hardly matter. It is a fundamental problem. Unless and until we start mandating actually competent engineering in the IT space (liability for damage, engineering standards or no sale to the general public, prohibited use of non-qualified personnel, etc.) this will just get worse and worse.
Re: (Score:2)
> Bad engineering...
More like over-engineering IMHO. Plenty of devices really don't need to be smart and have a programmable computer inside them so no competent engineering in the IT space would be required at all.
Re: (Score:2)
That too.
Come on now... stop the BS (Score:2)
Stop the BS of insisting the closed ecosystem makes it safer. Google watching it in the play store makes it no safer than anything else. Plain and simple this is an unpatched exploit that more eyes would have found. We have to stop this bullshit of creating FUD that closed ecosystems are anything other than bad. No company should retain more control of a device than the owner of that device... period. From cell phones, to PC's to connected devices all the way up to automobiles. And fact be known, it should
Re: (Score:2)
>> Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.
> Stop the BS of insisting the closed ecosystem makes it safer. Google watching it in the play store makes it no safer than anything else. Plain and simple this is an unpatched exploit that more eyes would have found.
As TFS says, we don't yet know what the vector was. As some have suggested in this discussion, maybe these units came pre-backdoored. And it is possible that Play Protect or whatever they're calling it would have prevented this, which we'll never know.
Infected from the factory (Score:4, Interesting)
Isn't it most likely these devices came from the factory with malware installed in the firmware image? None of these devices I've ever heard of before, and none of them seem to have google apps on them. I always thought most android devices coming out of China with generic Android images on them (with no play store) are rather suspect for malware and anyone that buys them should plan to blow the firmware away and put something more trustworthy on them.
Re: Infected from the factory (Score:2)
My thoughts exactly. A few years ago I bought an Android box for the tv from Amazon. It was named something like m6 or m8,..
Anyway, we set up Netflix on the box and days later I was emailed by Netflix saying my account had been accessed from a foreign country. These boxes are coming pre-infected.
Re: (Score:2)
Linus tech tips actually exposed this like a year or more ago. [1]https://youtu.be/1vpepaQ-VQQ?t... [youtu.be]
[1] https://youtu.be/1vpepaQ-VQQ?t=121
There must be some kind of name branded on these. (Score:2)
But they don't way what it is, and searching the model numbers just shows other news articles about the same malware.
Is this like an Alibababba device?
Of course it was supply chain (Score:2)
I still live pretty simply. Buy TV. Never connect it to internet.
Buy disposable somethingrather. Use it.
When disposable roku streambar stick puck whatever is compromised I simply throw it away. The minute you hook your tv directly to all the virus distribution platforms now you have to throw away the tv.
Re: (Score:2)
It's always a very smart idea to put a hackable computer in anything that doesn't need a computer and all computers are hackable. I have been coding and managing systems for years and I don't own any smart anything excepted a phone I seldom use and which has no apps installed and which I don't use for any form of transactions. Signage display to watch movies, etc...