Researchers discover Chinese Android TV boxes ship with preloaded malware

Mike Wheatley

Two Chinese Android TV box manufacturers have been accused of shipping malware that was preloaded onto their hardware, security researchers say.


TechCrunch reported that the researchers found the popular Android TV boxes from AllWinner and RockChip, including the AllWinner T95Max, RockChip X12 Plus and RockChip X88 Pro 10, were shipped with malware that connects them to a large botnet made up of thousands of other such devices. The Android TV boxes were sold by major retailers, including Amazon.

The botnet is said to be running a clickbot that generates ad money by secretly tapping on ads in the background, without the knowledge of the user.

“But because of the way the malware is designed, the authors can push out any payload they like,” Daniel Milisic, the security researcher who discovered the malware, said in an interview with TechCrunch.

The findings of Milisic were confirmed independently by EFF security researcher Bill Budington. The researchers both say there’s no simple way for users to remove the malware, and that their best advice is to throw away the set-top boxes instead.

The AllWinner and RockChip Android boxes are sold by Amazon in the U.S., and by other retailers in countries across the world. Although they claim to be Android TV boxes, they actually run the standard mobile Android operating system and use a modified interface. The mobile Android OS can be loaded onto any hardware without oversight and adapted at the manufacturer’s leisure, meaning it’s possible to add malware.

This is not good news for consumers. Even without malware being added, mobile Android is not designed for TV and offers a poor user experience compared to the official Android TV operating system. That’s because not all TV streaming apps are compatible with mobile Android. They also deliver lower video streaming bitrates to the box, because it identifies the device as a smartphone or tablet. The only advantage of such devices is that they tend to be very cheap, with the AllWinner T95Max selling for just $37 on Amazon, for example.


Media players that run the genuine Android TV platform must be certified by Google, which prohibits manufacturers from making changes to the user interface. As such, any official box will have the proper Android TV UI, without any kind of branding or customization. Only TV broadcasters are allowed to modify the Android TV OS user interface, TechCrunch states.

Official Android TV devices include the Chromecast with Google TV dongle, Nvidia Shield and media boxes from the likes of Nokia, Strong and Xiaomi. These devices are also usually fairly inexpensive, though not quite as cheap as the “fake” Android media players sold by AllWinner and RockChip.