SAN FRANCISCO—The Federal Trade Commission (FTC) must act to halt sales by Amazon, AliExpress, and other resellers of Android television set-top boxes and mobile devices manufactured by AllWinner and RockChip that have been pre-infected with malware before ever reaching consumers, the Electronic Frontier Foundation (EFF) urged Tuesday in a letter to FTC commissioners.
“We believe that the sale of these devices presents a clear instance of deceptive conduct: the devices are advertised without disclosure of the harms they present. They also expose the buyers to an unfair risk which starts after simply powering the device on and connecting it to the internet,” EFF’s letter says. “Here, where products are sold containing real malware at the point of sale, issuing sanctions to the resellers will provide a powerful incentive for them to pull these products from the market and protect their customers.”
When first connected to the internet, these infected devices immediately start communicating with botnet command and control servers, the letter explains. Then they connect to a vast click-fraud network—in which bots juice advertising revenue by producing bogus ad clicks—which a recent report by HUMAN Security dubbed BADBOX. This operates in the background of the device, unseen by the buyers; even if buyers do find out about it, they can’t do much to regain control of their devices without extensive technical know-how.
The malware also lets its makers, or those to whom they sell access, use buyers’ internet connections as proxies—meaning that any nefarious deeds will look as though they came from the buyers, possibly exposing them to significant legal risk.
Despite widespread reporting on these compromised devices, they are still being sold by Amazon, AliExpress, and other vendors.
“We believe the resellers of these devices bear some responsibility for the broad scope of this attack and for failing to create a reliable pathway for researchers to notify them of these issues,” the letter reads. “While it would be impractical for resellers to run comprehensive security audits on every device they make available, they should pull these devices from the market once they are revealed and confirmed to include harmful malware.”
The HUMAN Security report found the malware is a variant of the Triada trojan, installed between the time when a Chinese company manufactured the devices and when they are provided to resellers. This constitutes a supply-chain attack on consumer-based Internet of Things devices, so EFF also sent its letter to Cybersecurity and Infrastructure Security Agency Director Jen Easterly.
“This is the very essence of consumer protection: ensuring that the products we bring into our homes aren’t preset to be hijacked for malicious purposes,” said EFF Senior Staff Technologist William Budington. “We urge the Federal Trade Commission to take swift action.”
For EFF's letter to the FTC: https://www.eff.org/document/11-14-2023-eff-letter-ftc-re-malware-android-tv-set-top-boxes
For the HUMAN Security report: https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box
For more background on the problem: https://www.eff.org/deeplinks/2023/05/android-tv-boxes-sold-amazon-come-pre-loaded-malware