Think Twice About Getting Yourself A Cheap Android TV Box: Here's Why

The nice thing about an Android-based streaming stick or player is that, unlike something like a Roku or Apple TV, Android is open source. This makes it much easier to install homebrew apps that may not be available on official streaming app stores. Using anything Android-based like a Fire TV stick can open up some fun and interesting new avenues of streaming entertainment, not to mention customization and web development.

Of course, even a low-end Fire TV stick can cost around $40, and if the goal is to go homebrew anyway, you may be tempted to seek out cheaper alternatives with that same level of functionality. However, doing this may prove to be dangerous to your digital health. That ease of homebrew installation that comes with Android TV frameworks can be a devious dagger in the hands of unscrupulous individuals, potentially compromising your vital online security measures like accounts and passwords.

In late 2023, a cybersecurity firm called Human Security released a detailed report (PDF) on its investigation into the world of low-end Android streaming boxes. This followed research from earlier that year by cybersecurity expert Daniel Milisic, who discovered a suite of malware on a cheap Android player he had purchased, straight out of the box.

Based on Human Security's findings shared with WIRED that year, around 200 different models of low-end Android boxes were infected with some kind of malware, presumably added to the device's firmware sometime between their manufacture and sale. All of these low-end boxes generally cost less than $50 and are sold both online and in physical storefronts. These devices have names composed of seemingly random letters and numbers like MXQ or T95Z, and are either completely brandless or are branded with obscure, strange-sounding company names that nobody has ever heard of. It's also worth noting that, in addition to a variety of low-end Android boxes, Human Security also found similar security vulnerabilities on an off-brand Android tablet, showing just how pervasive these shady efforts can be.

Following the release of this research, Google has made efforts to remove apps associated with the companies that manufacture the compromised boxes. Unfortunately, malware-infested hardware is a proverbial hydra; cut off one head, and eight take its place. While Human Security's research revealed many vulnerabilities, there are still plenty of bad actors out there.

Out of the devices that Human Security researched, two major kinds of malware were discovered: Badbox and Peachpit. Both of these could be covertly inserted into an Android box's firmware, whereupon they'll begin to wreak havoc on your digital life.

Badbox is actually a global network of compromised devices, linked together by a particular piece of malware. When you use a device infected with Badbox, you're quietly linked into this network, at which point bad actors can use your connected network and accounts for all sorts of nefarious purposes. This includes having access to your home network sold as a secret proxy, using your network to create fake accounts for services like Gmail and WhatsApp, and remotely installing code into other devices connected to your network. Basically, it turns your home network into a cog in an enormous, vile machine.

Peachpit operates similarly to Badbox, albeit for the express purpose of advertising fraud. Utilizing your network, as well as low-quality, compromised Android apps, Peachpit requests a large quantity of ad views, spoofing your device credentials to farm out ads for quick cash. Human Security has speculated that the ad revenue generated by Peachpit may be what funds Badbox's operations, though this is just a theory.

These are just two examples of what could happen to your network if you use a low-end Android TV box. No matter how tempting cheap tech may be, remember to stick to trustworthy name brands.