videostorm Posted October 15, 2023 Share Posted October 15, 2023 You probably have seen some of the reports from security experts over the last year regarding the Malware that has been discovered on nearly all generic Android players sold on Amazon, AliExpress, and elsewhere. What you likely don't know is how this will affect your clients when installed on their networks. The preinstalled Malware has 5 primary functions. These are detailed below along with how each affects your business. Network proxy: Hackers will utilize YOUR CLIENTS network to launch attacks and create fake accounts. Other than using bandwidth, the major impacts are possible legal action against your client as well as being banned by their internet provider. Account theft: The infected hardware captures the credentials of all accounts used on the device. This includes their Google Play credentials and any other app credentials. Their credentials are then sold online for other hackers to use. LAN intrusion: In some cases, the infected hardware actively scans your LAN. If it discovers open network storage or older devices which have exploits available (rPis, etc), they will also infect those devices. Ransomware: Most Ransomware attacks involve critical data on your network. Much of this can be avoided by having the devices on a separate network (when possible). Hackers can also control what is show on your attached screens and can use this to disrupt and damage your clients business. Ad fraud: Hackers use fake accounts generated on your network to utilize pay per click advertising (rendered in an invisible WebView on the infected devices). Since you aren't liable for this type of fraud, it affects you the least. It will reduce the performance of the infected device and your network somewhat. The infected devices have Malware in the OS which cannot be removed without completely replacing the OS with a trusted build. Trusted builds just aren't available, nor are the tools to do this yourself. The hardware needs to be replaced. If you are using generic Android players, experts recommend making immediate replacement of the infected hardware a top priority. Lumi TV is an excellent replacement option which is guaranteed Malware free. Lumi TV is an Android device, but the OS has been completely rebuilt specifically for secure remote managed digital signage. Lumi TV features high performance hardware with rapid installation & management technology, has free OTA security updates for the life of the product, and is resistant to physical and electronic tampering. Lumi TV brings a new level of professional reliability and security to Android. https://lumi-tv.com Quote Link to comment Share on other sites More sharing options...
RAV Posted October 16, 2023 Share Posted October 16, 2023 Thank you for the information. General inquiry, should a client not listen and want to use one of these types of boxes that they "got from a friend", would isolating it in it's own VLAN be sufficient to sandbox it from the home network? Realizing it's still going to use Bandwidth and be doing illegal things on an ISP account. But as to protecting what we do from their stupidity, which we can't always control. Quote Link to comment Share on other sites More sharing options...
videostorm Posted October 16, 2023 Author Share Posted October 16, 2023 1 hour ago, RAV said: Thank you for the information. General inquiry, should a client not listen and want to use one of these types of boxes that they "got from a friend", would isolating it in it's own VLAN be sufficient to sandbox it from the home network? Realizing it's still going to use Bandwidth and be doing illegal things on an ISP account. But as to protecting what we do from their stupidity, which we can't always control. Isolating it helps to limit the potential damage. Keep in mind that it the switches/routers used for the VLAN must have up to date firmware and no known exploits, otherwise they could be compromised which opens the network. They also need to consider how they "use" the box, as any credentials it sees will end up being sold. People reuse passwords (or small variations of the same password), so the effects can be much further reaching than might be expected. In this case, make sure the customer didn't set the router/switch passwords (or even knows them if possible). Quote Link to comment Share on other sites More sharing options...
Ryanjackson Posted October 16, 2023 Share Posted October 16, 2023 you have any links from the security experts report? Quote Link to comment Share on other sites More sharing options...
videostorm Posted October 16, 2023 Author Share Posted October 16, 2023 2 minutes ago, Ryanjackson said: you have any links from the security experts report? Many. Two of the best written are: https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/amp/ https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pd We have also performed our own testing to simulate how our device (and all the generic devices) would perform in a strict security audit. The audit has three main parts: Device intrusion: Testing if the DUT can be accessed and compromised by an attacker on the local network. The generic boxes all fail this. They are easy to access and gain full admin rights. Consumer devices (Firestick, etc) are better protected, as long as ADB isn't enabled. Lumi TV is secure against network intrusion and exploits. Device behavior: We use dedicated MIM network bridges to monitor all the DUTs on our test network. They monitor and record all network traffic to/from the DUT. LAN traffic is filtered to find suspicious behavior like nmap and similar. Internet traffic is compared against our threat database to draw risk conclusions. Honeypot: We have a rPi honeypot on the test network which exposes commonly exploited interfaces (ssh, telnet, samba, ftp, etc) and monitors any attempt to use them. All the generic devices we tested (~30 models) failed the device behavior testing. They either communicated with sites flagged by the threat database (most) or unknown sites which had no corresponding legitimate use (all). Several also directly attacked the Honeypot. Lumi TV passes all these tests and is actively maintained for ongoing security. Quote Link to comment Share on other sites More sharing options...
Ryanjackson Posted October 16, 2023 Share Posted October 16, 2023 interesting. Thanks! Quote Link to comment Share on other sites More sharing options...
msgreenf Posted October 16, 2023 Share Posted October 16, 2023 IDK how you gurantee Malware free unless you take it off the internet.... Can you gurantee the OS is clean, yes...but there are a lot of other ways to get malware on a box.... Quote Link to comment Share on other sites More sharing options...
videostorm Posted October 16, 2023 Author Share Posted October 16, 2023 4 hours ago, msgreenf said: IDK how you gurantee Malware free unless you take it off the internet.... Can you gurantee the OS is clean, yes...but there are a lot of other ways to get malware on a box.... As shipped from our warehouse, it is Malware free. Our OS is build by our in house engineering from the AOSP sources (with our own optimizations tailored to this market). There is no other software installed on the device other than the minimum we explicitly added. They are all build from source by us. No Play store, no Google play framework, etc. Nothing that collects information or connects to internet servers. Lumi TV will connect only to our server (lumi-tv.com) to load the device profile for device setup and to install any apps you (the customer) explicitly specify. Once configured, you can choose to have the Lumi TV automatically check lumi-tv.com for profile updates once a day, only when you manually tell it to, or never again. If you use the optional PRO features for real time remote management it will create a constant connection to our MQTT server. These are easily verifiable using Wireshark. Assuming the authorized user isn't manually installing Malware on the device, it is a clean device. Quote Link to comment Share on other sites More sharing options...
msgreenf Posted October 16, 2023 Share Posted October 16, 2023 And the lack of Google play services and store don't make it a replacement for most use cases Quote Link to comment Share on other sites More sharing options...
videostorm Posted October 16, 2023 Author Share Posted October 16, 2023 9 minutes ago, msgreenf said: And the lack of Google play services and store don't make it a replacement for most use cases True, Lumi TV is mostly for commercial applications (signage, business apps, etc). These applications require data security, network security, and anti tamper tech. For residential applications, you should be using either Google TV, NVidia Shield, or Fire OS products. All the popular streaming services basically require that you allow them to snoop on your data. This makes them unfit for commercial applications, but is the trade off residential customers must accept. These brands do keep actual malware off their devices as shipped and make a reasonable effort to police their stores. Not perfect, but way better than using known malignant devices. Quote Link to comment Share on other sites More sharing options...
Cyknight Posted October 17, 2023 Share Posted October 17, 2023 I'd be curious to know if some of the 'branded' ones were found to have the potential malware indicators, such as ONN, Xiaomi, MxQ and Pendoo. Of course most of the 'generic' android boxes are bought solely for, well lets call it 'grey' purposes to begin with: when you buy a device to get hacked movies and streaming services, you really shouldn't be surprised that they aren't safe. But agreed, if you want a cheap android based streaming box, just get a fireTV or googletv, and if you want a good one get a shield. If you're looking for a commercial solution, get a commercial solution. Quote Link to comment Share on other sites More sharing options...
videostorm Posted October 17, 2023 Author Share Posted October 17, 2023 18 hours ago, Cyknight said: I'd be curious to know if some of the 'branded' ones were found to have the potential malware indicators, such as ONN, Xiaomi, MxQ and Pendoo. Of course most of the 'generic' android boxes are bought solely for, well lets call it 'grey' purposes to begin with: when you buy a device to get hacked movies and streaming services, you really shouldn't be surprised that they aren't safe. But agreed, if you want a cheap android based streaming box, just get a fireTV or googletv, and if you want a good one get a shield. If you're looking for a commercial solution, get a commercial solution. Yes, our tests included most of lesser known "brands" that you can purchase at Walmart and the like. They also contacted a lot of yellow level risk sites (suspected malware), and a few hit red sites (known malware). This is why we recommend you only use Google TV, NVidia Shield, or Fire OS for residential installs. It is possible that some of the other brands aren't intentionally doing anything nefarious, but the lack of transparency on their traffic means you can't be sure. Plus the most likely answer is they have no idea themselves, they are using lots of software built by whoever provides it cheap (and may have other motives for doing so). "grey" purpose devices should be as walled off as possible. Would be a good idea to give the list of potential consequences (original post) to customers who want to use them. Most people don't realize what can happen until after it already has. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.