Streaming Devices and IoT Security Threats: Android TV Boxes Linked to Botnet Activity
Published
Key Takeaways
- Botnet connection: Certain Android TV streaming boxes, such as Superbox, require intrusive software that forces the user's network to join a residential proxy botnet.
- Malicious activity: This co-opted network traffic is often tied to cybercrime, including advertising fraud and credential stuffing attempts for account takeovers.
- Widespread availability: Despite the risks, these devices are widely available through major retailers like Best Buy and Walmart, sold by third-party merchants.
Popular Android TV streaming boxes may be enrolling users' home networks into sophisticated botnets without their knowledge. Devices like the Superbox, which promise access to thousands of pay-per-view (PPV) and streaming services for a one-time fee, often require users to install third-party applications via an unofficial App Store.
These applications can contain streaming device malware that enlists the device into a residential proxy network, effectively turning the user's internet connection into a tool for cybercriminals.
Superbox Cybersecurity Risks and Network Hijacking
An analyst at cybersecurity firm Censys found that Superbox devices engage in intrusive network activities, including DNS hijacking and Address Resolution Protocol (ARP) poisoning – the latter allows an attacker to send spoofed ARP messages onto a local area network to ultimately send traffic to the attacker.
The devices were found to communicate with servers belonging to the Chinese instant messaging service Tencent QQ and a residential proxy service called Grass IO, KrebsOnSecurity has reported.
This effectively hijacks the user's bandwidth, using it to relay traffic for others. This activity is often associated with ad fraud and large-scale web scraping operations.
“It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,” Grass founder Andrej Radonjic told KrebsOnSecurity.
While Superbox claims it only sells hardware, the necessary apps to access free content must be installed from an unofficial app store after removing the official Google Play store, a significant red flag for IoT security threats.
Broader Implications of the Android TV Box Botnet
This issue extends beyond a single brand. Google filed lawsuits against botnet operations like BADBOX 2.0, which involves millions of Android streaming devices engaging in ad fraud. Many of the devices flagged in these legal actions remain for sale on major e-commerce platforms.
The FBI has also issued warnings about these devices, noting they can be compromised with backdoor malware before purchase or during setup.
For consumers, the allure of free content comes with the severe risk of their IP address being implicated in malicious online activity and their home network security being compromised.
In August, an Oregon man was arrested for operating the RapperBot DDoS service suspected of attacking X (formerly Twitter).
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular