Nonprofit Urges FTC to Block Sales of Alleged Malware-Infected Android TV Boxes

The Electronic Frontier Foundation, a nonprofit organization that defends civil liberties in the digital world, is calling on the Federal Trade Commission to halt sales by Amazon and other resellers of Android TV boxes and mobile devices that the organization says are malware-infected.

The organization calls out two China-based manufacturers, AllWinner and RockChip, which provides malware-infected Android TV box models that adds the box to a botnet for initiating coordinated attacks.

When first powered on and connected to the internet, the boxes will immediately begin communicating with botnet command and control servers. Then, the devices connect to a “vast click-fraud network.”

All of this is largely undetectable to the average consumer, and there is little they can do to stop it without extensive technical knowledge, the EFF says.

The nonprofit says it has raised these concerns with Amazon and other retailers, but devices are still being sold as of Nov. 14.

According to a May report from the EFF, affected models include the affected models include the AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10.

Citing a security researcher, the EFF says traffic being sent by these devices was for domains publicly known to be associated with botnet command and control servers.

Once the devices begin communicating with the botnet servers, they connect to a vast click-fraud network—in which bots juice advertising revenue by producing bogus ad clicks, the EFF says, citing a report from HUMAN Security.

“These devices put buyers at risk not only by the click-fraud they routinely take part in, but also the fact that they facilitate using the buyers’ internet connections as proxies for the malware manufacturers or those they sell access to,” the Electronic Frontier Foundation says in its Nov. 14 letter to the FTC and Cybersecurity & Infrastructure Security Agency.

“This means that any nefarious deeds done using this proxy will look as though they were originating from the buyers’ internet connection, possibly exposing them to significant legal risk. This can result in real harm to buyers of these devices, presenting an unacceptable risk which must be addressed.”

Calling these products “low-end devices” manufactured by little-known third-party vendors based in China, the EFF says they can be sold cheaply by cutting costs on quality control and device security.

“The widespread availability of these low-end devices present a danger to consumers, their networks, and the security and stability of the internet at large,” the EFF says. “Though it would be impractical to conduct a thorough security audit for all merchandise sold on Amazon, a more thorough vetting process could be introduced before selling consumer-grade IoT devices. For instance, a basic network analysis would have found these devices communicating with C&C servers and having wide-open adb ports.”

Currently, the U.S. Federal Communications Commission is vetting the feasibility of the U.S. Cyber Trust Mark, the cybersecurity equivalent to the Energy Star label for consumer IoT devices.

Devices labeled with the mark will have met cybersecurity guidelines largely outlined by the National Institute of Standards and Technology. The FCC is still seeking comments and feedback on the proposal, but the voluntary program is expected to be in place sometime in 2024.