Smart TVs Require Even Smarter Security Measures

Smart TV Dilemmas

It's hard nowadays to find a TV that is not "smart". They all come preloaded with apps to watch Netflix, Disney+ and the like. Not everyone has a new TV though. For older "dumb" TVs, streaming devices are very popular. And even for TVs with built-in apps, there are still reasons to use a separate streaming device.

Maybe you don't want to be force-fed the TV manufacturer's recommendations ads. Maybe your TV isn't supported anymore and some apps are not being updated. Maybe the app you want isn't part of your particular "smart" TV brand. Plenty of reasons for a separate streaming device.

There are plenty of choices in streaming devices. From household names like Apple, Google and Roku, to many lesser-known brands. (And with many, I mean many). Since the base Android TV is open source (under the Android Open Source Program), the lesser-known ones generally run a version of Android TV. It's free for them to implement, including putting the Google Play Store on there. Delivering a full-fledged streaming solution without the need to do any developing themselves.

Android TV: Beware Pre-Installed Malware

However because Android TV doesn't get licensed for those streaming devices, they also don't get checked for bad things by Google, such as pre-installed malware. And exactly that is happening right now. A few models of popular streaming devices have been found to contain malware straight from the factory. And chances are good that the 4 devices found are not the only ones that have malware pre-installed.

The currently known devices are:

  • AllWinner T95
  • AllWinner T95Max
  • RockChip X12 Plus
  • RockChip X88 Pro 10

They all have multiple listings on Amazon and other online stores, including some listings with hundreds of positive reviews. I can have one delivered to my place tomorrow …

Easily order Android on Amazon

Pay-Per-Click Fraud

A security researcher named Daniel Milisic discovered the malware. On bootup, the malware will try to reach out to command-and-control (C2) threat infrastructure to receive instructions and download more payloads. Initially the malware has been downloading a payload to perform pay-per-click, or ad-click, fraud. Making it look like an actual user is clicking ads, either generating revenue or burning through a competitor's ad budget.

It can be argued that of all the bad things malware can do, this is one of the "lesser evils." However, since it downloads its payload and instructions, that means the device can be repurposed for even more nefarious things. Though I personally wouldn't like my devices being used for click-fraud either.

Pre-Installed Malware In Firmware

Because the malware is "baked into" the firmware, it's no easy feat to remove the malware, or even possible. And since there are likely other devices (including devices other than streaming devices) out there that do the same, what are the options? Buying well-known brands generally helps a lot, but also isn't waterproof.

Some years ago one of the biggest laptop manufacturers shipped laptops with malware preinstalled. Running anti-virus (AV) or endpoint detection and response (EDR) software on a device isn't always possible either, or won't detect it.

The security researcher actually used a Pi-hole to detect and neuter the malware. A Pi-hole generally runs on a Raspberry Pi (hence the name) and acts as the DNS resolver for the devices on your home network. It allows lists to be loaded that will block known malicious domains, tracking domains and/or ad domains.

Block Malware on Your Home Network

It is well-understood in the enterprise that Protective DNS adds a crucial defense layer. Malware (or users clicking on phishing sites) get by existing defenses on a regular basis. However for home users, the same is true. Relying on only the AV software you are running (and maybe came pre-installed with your OS) isn't enough. It doesn't detect or protect other devices, and can still let things through.

HYAS Protect at Home provides the same great protection as HYAS Protect does. It's like a Pi-hole on steroids protecting all the devices on your network, not only relying on lists of known bad domains, but also mapping threat actor infrastructure and detecting malicious traffic to previously unknown domains.

Sign up for the free version of HYAS Protect at Home

 

Further Reading

Defeating malvertising-based phishing attacks 

Threat actors are using Google ads to launch phishing attacks

Cyber adversary infrastructure explained

Back to Blog