Mastodawn

When an entire class of technology states on the packaging that it was made in China but intended "for overseas use only," this should really give you pause before plugging it into your network.

You will find this verbiage on a lot of Android TV streaming boxes for sale at the major retailers. There's a very good reason the country that makes this crap doesn't want it on their own networks. My advice: If you have one of these Android streaming boxes on your network or get one as a gift, toss it in the trash. I'll have a lot more about this in the New Year, but these things are responsible for building out a botnet that currently has ~2M devices and is growing rapidly. https://blog.xlab.qianxin.com/kimwolf-botnet-en/

BrianKrebs Dec 23

Meant to link to my previous reporting on this topic, which briefly touches on some of the challenges w/ the ubiquity and sheer insecurity-by-design of most of these Android TV/movie streaming devices

https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/

Is Your Android TV Streaming Box Part of a Botnet? – Krebs on Security

Sterling Dec 23

@briankrebs Nice article !

@briankrebs I have one of these things (without any pirate apps on it.) Loaded ConnectBot, plugged in a keyboard, typed su, got a root prompt. Zero security on those boxes.

jackcole Dec 25

@briankrebs smh

AI6YR Ben Dec 23

@briankrebs 😱

Neil Craig Dec 23

@briankrebs Feels weird that they write "overseas use only" in English...seems like Mandarin might be a better choice perhaps? 🤣🤷🏼‍♂️

@tdp_org @briankrebs Respectively: why would they warn at all?

RealGene ☣️Dec 23

@briankrebs
The fake CE Mark (actually China Export) is 👨‍🍳💋

cheesefox Dec 23

@RealGene @briankrebs no, that’s the proper CE mark; the China Export one is lacking the spacing between the letters

Sven Slootweg, low-spoons mode ("still kinky and horny anyway")Dec 24

@cheesefox @RealGene @briankrebs FYI, the EU has publicly stated in the past that the "China Export" thing is an urban legend and the spacing or shaping of the letters is not relevant for whether something is (or can claim to be) CE-certified, which is a self-certification for most product categories anyway.

Edit: I think it was the European Commission who stated this, specifically.

cheesefox Dec 24

@joepie91 @RealGene @briankrebs oh, boy https://www.europarl.europa.eu/doceo/document/P-6-2007-5938-ASW_EN.html pretty much suggests that the mark is so abused as to be completely meaningless \o/

Parliamentary question | Answer to Question No P-5938/07 | P-5938/2007(ASW) | European Parliament

Answer to Question No P-5938/07

Sven Slootweg, low-spoons mode ("still kinky and horny anyway")Dec 24

@cheesefox @RealGene @briankrebs I mean, I wouldn't say it's entirely meaningless (falsely printing it can be prosecuted as straightforward fraud rather than something harder-to-make-stick like "false advertising" or "unsafe product") but the fact that for almost everything it's self-certification so you don't need to report anything or have anything checked by a third party, certainly makes it less reliable than people often assume it to be... 😐

Sven Slootweg, low-spoons mode ("still kinky and horny anyway")Dec 24

@cheesefox @RealGene @briankrebs (A notable example of an exception is medical equipment, which has to be certified by a certification body and also requires the CE mark to be printed on the product itself alongside the number of the certification body - this is why fake FFP2 masks can often be identified by missing that print or omitting the number, for example)

Token Sane Person Dec 23

@RealGene @briankrebs The China Export thing is an urban myth. That said, the CE mark isn't properly policed, so quite a bit of cheap kit with the mark isn't compliant. https://www.europarl.europa.eu/doceo/document/P-6-2007-5938-ASW_EN.html?redirect

Parliamentary question | Answer to Question No P-5938/07 | P-5938/2007(ASW) | European Parliament

Answer to Question No P-5938/07

@briankrebs China saying the quiet part in bold golden letters😂
As an aside... I'll never understand how the public got suckered into smart TVs. It's not like it's hard to get a streaming device that connects to your TV via hdmi. Why would you want to lock yourself into buying a new TV everytime your streaming device was out of date.

Julius Schwartzenberg - Юліус Dec 23

@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.

BrianKrebs Dec 23

@jschwart AFAIK, there's no way to use these devices securely.

Julius Schwartzenberg - Юліус Dec 23

@briankrebs it's not clear to me why replacing the entire software wouldn't make them secure.

It might possibly even work to simply kill the offending applications. I have a very cheap box (was around $25) which became quiet with regards to traffic after I stopped various applications (mainly a torrent one that was there with a preconfigured torrent was establishing a lot of connections).

When I insert an SD card with Armbian, it just boots that instead of Android.

Julius Schwartzenberg - Юліус Dec 23

@briankrebs the XLAB article mentions the X96Q which matches the model on my box (there are different boxes with that model though).

It also mentions that the culprit is in some so files from a particular apk. This means running Armbian should be fine if you have an affected box:
Working images can be found on the forums: https://forum.armbian.com/search/?q=X96Q

I'll check if my box has those apk/so files when I get an opportunity.

Generally the hardware itself should be fine though, wasteful to just bin it.

Showing results for 'X96Q'. - Armbian Community Forums

Armbian Community Forums

BrianKrebs Dec 23

@jschwart Lol. Let me get this straight: A China-based security firm warns you about the very real security risk of installing *this particular model* from an overall problematic category of Chinese products, and your response is "I'm sure it's fine?"

Julius Schwartzenberg - Юліус Dec 23

@briankrebs yes, as thankfully the security firm is very explicit about where the offending code is located and its behavior such that people can verify their investigation, possibly eliminate offending code and verify the situation afterwards.

Raven667 Dec 23

@briankrebs is that the confidence of a mediocre white man on display, probably could fight a bear too :-)

I dont know how fragile these suspected built-in implants are, its possible they arent robust against changes in their environment, so they wont restore themselves if you change firmware, but i dont think we know any of that for certain so its kind of taking a blind risk

@raven667 @briankrebs

> mediocre white man

That is uncalled for.

BrianKrebs Dec 23

@worik @raven667 let's keep it civil, folks. learn to disagree without making it personal. if you can't do that, don't say anything at all.

Raven667 Dec 23

@worik @briankrebs my apologies, that sounded funnier in my head but i we dont know each other and i clearly went too far. I do sincerely wish you the best.

@briankrebs @jschwart The spyware is in the Android install, if you boot up Armbian you bypass the ENTIRETY of the Android ecosystem, making it basically a Raspberry Pi. It doesn't matter if the manufacturer's Android image is compromised because you're not using it at all. You can even fully replace the image in the internal flash chip with Armbian, removing all traces of the preloaded OS.

@briankrebs @jschwart The Brazilian IRS has been doing this for a while to the unlicensed TV Boxes they've apprehended, turning them into general purpose computers for schools.

Considering our growing e-waste problem, it's horrendous advice to tell people to throw these things away when there is a way to repurpose them safely.

@jschwart @briankrebs there's nothing that says it still doesn't run something pre-boot or whatever. You simply can't trust any part of the hardware

Julius Schwartzenberg - Юліус Dec 23

@0x76 @briankrebs with that I agree, but ultimately you'd need to buy RYF certified hardware to avoid nothing nasty is going on at such level (and that would be more a starting point).

I think on average if you get it to a point where you cannot observe any unrecognizable traffic going over the wire (using tcpdump on another network device that would see all its traffic for example) for an extended period of time, it would seem unlikely the device is part of a botnet.

Andreas K Dec 23

@jschwart @0x76 @briankrebs Let me put it like this: if you put a complete Linux distribution on the hardware, you are "probably" safe. Or could theoretically be so.

Now the problem is that all this esoteric hardware often needs to used blobs from the original bad image to get it working, or completely working.

And that's a problem.

OTOH, hardware that runs Coreboot and where the management engine in the Intel/AMD CPU can be disabled is starting to get a slightly museum-like feeling too.

Andreas K Dec 23

@jschwart @0x76 @briankrebs My personal rule of thumb is, that statistically (I extrapolated it a couple of years ago from things like number of SoC vendors that provide GPUs in the Android world, average number of major GPU bugs …) if you don't update your Android monthly, your risk for being rootable-on-the-fly is significant.

(Quarterly updates aren't that great, IMHO)

Most, even brand-name Android/Google SmartTVs are lucky to an update twice in a year; more realistic is once a year.

Andreas K Dec 23

I admit that my rule of thumb derivation (via severe GPU bugs statistics might not apply to TV SoCs but I still stand by the rule of tumb of monthly updates sound good for something as complex as an Android TV device.

Julius Schwartzenberg - Юліус Dec 23

@yacc143 @0x76 @briankrebs that's an interesting vector. But "on-the-fly" would mean you'd still need to trigger it in some way by rendering the malicious content I suppose? What kind of rendering pipelines would be able to do this? I guess (Web)GL? Sticking with applications from F-Droid (which one should do anyway) would seem to avoid a lot? Possibly avoid browsers that expose the GPU too much would be needed additionally?

Clayton O'Neill Dec 23

@briankrebs You seem to be implying this violates some chinese security regulations and isn't approved for domestic sale, but the much more likely explanation is that these boxes are banned in China due to state media control concerns: https://www.ibtimes.com/china-cracks-down-set-top-box-market-bans-popular-streaming-apps-2189776

China Cracks Down On Set-Top Box Market, Bans Popular Streaming Apps

Chinese consumers are not happy with the change, saying the government's new rules are meant to support cable companies and establishment media.

International Business Times

@[email protected] has moved Dec 23

@briankrebs Evidence that "these things are responsible for building out a botnet that currently has ~2M devices and is growing rapidly"?

BrianKrebs Dec 23

@clock are you asking for evidence? Read the story I linked from XLAB.

@briankrebs I don’t own one but my understanding is that these Android TV boxes are typically used for watching pirated content. I can’t see any company putting heavy efforts into the security of their product when it’s used for this purpose. Whether they’re intended to be a Trojan horse or not, the risk their use brings is too high in my humble opinion. I agree with Brian, they should be binned.

@[email protected] has moved Dec 23

@[email protected] I don't think China is a country. I think China is a stateless territory infested by a communist criminal terrorist organization whose kingpin is Xi Jin Ping.

https://en.wikipedia.org/wiki/Human_rights_in_China

#humanrights #freedomofspeech #china

Human rights in China - Wikipedia

Pier Hegeman Dec 23

@clock @briankrebs I don't think the United States is a country. I think it's a stateless territory infested by a criminal capitalist terrorist organization whose kingpin is three billionaires in a trench coat shaped like Donald Trump.

@[email protected] has moved Dec 23

@pier @briankrebs I don't think you can have 3 people as a kingpin, it always have to be a single person.

I don't disagree with your statement, but do you think it's being run by 3 men at the same time, not just by Donald Trump?

derptron Dec 23

@pier @clock @briankrebs ALL countries are just some organization that's laid claim to some territory and people. Can probably claim they're all criminal organizations also. Just to varying degrees--and yeah, Trump is a mob boss.

cauZation Dec 23

@clock @briankrebs Is there any room at all between overt Communism and Capitalism?

Seems Gen Z and beyond have a better chance of survival, from working off of The Belt and Road Initiative in The Global South, than they do in staying in obviously collapsing economies.

If you were to pick an emerging economy in South America for better sustainability, which one(s) would you choose?

@cauZation @clock @briankrebs

> Is there any room at all between overt Communism and Capitalism?

Yes, quite a bit!

@briankrebs How do those devices (along with all the fridges and IOT cameras that make up most botnets) get infected? Aren't most of them behind NAT? I understand "default passwords", but for that to be a problem, there has to be a way for the attacker to connect to a device in the first place, and that is the part I don't get.

BrianKrebs Dec 23

@miki this is the subject of my reporting in the New Year. Stay tuned.

derptron Dec 23

@miki @briankrebs The bot forms the connection to the server. Bing bang boom.

There's also IP6. That may or may not be available for direct addressing.

That's all the issue is. The outside doesn't know how to address something behind a NAT. Once a connection is formed the NAT gateway deals with the translations and communication happens normally for the two sides. The NAT gateway does the work at that point.

@crazyeddie @briankrebs I understand all of that, my question was about how the initial infection occurs.

Interpipes 💙Dec 23

@miki @crazyeddie @briankrebs in the factory that makes them when the wholesale customer or manufacturer or one of their employees is in on it or careless enough to accidentally include it in their images

Why bother hacking people and places to set up botnets and snoop around networks when you can get your victims to pay you for your trojan horse to be delivered directly to them

Tom Bortels Dec 25

@miki @briankrebs

I'd bet money many/most of the "pirate tv" set-top boxes come that way. Their unstated secondary purpose as a point-of-presence for DDOS and other attacks subsidizes the price.

cake-duke Dec 23

@briankrebs Krebs is on mastodon! Awesome! Following.

Jacqueline Dec 23

telling people to waste perfectly good TV boxes that can run Linux is absolutely the wrong takeaway

Jacqueline Dec 23

@briankrebs insecure software can be replaced with better software

Dan Riley Dec 23

@burnoutqueen @briankrebs How do you replace the on-chip boot ROM? Systems can be backdoored via firmware or even hardware in ways that simply replacing the OS will not cure.

Jacqueline Dec 23

@dan131riley @briankrebs a boot rom cannot realistically hold the entirety of a botnet client.

It requires a whole software stack to support the things that botnets usually do.

Also, you can in fact analyze a computer for its IP traffic.

@burnoutqueen @dan131riley @briankrebs

> boot rom cannot realistically hold the entirety of a botnet client

That was true in 1992

Dan Riley Dec 23

@burnoutqueen @briankrebs

The boot ROM just needs enough to compromise the system and download any extensions (most malware these days is modular).

If you haven’t shaved and imaged the SoC, you don’t know how much ROM it actually has.

Malware keeps getting cleverer at exploiting side channels for C&C. If you’re relying on traffic monitoring, you may not notice anything until you’re part of a DDoS.

BrianKrebs Dec 23

@burnoutqueen ok. that's fine. I recognize there are some people who think piracy is a right and anyone saying otherwise is ill-informed, a tech noob, or a fear monger.

@burnoutqueen @briankrebs so many more linux set top boxes out there though

"Investigations found that the author of Kimwolf shows an almost "obsessive" fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple samples.

For example, in sample 2078af54891b32ea0b1d1bf08b552fe8, the domain fuckbriankrebs[.]com is embedded in both its udp_dns and mc_enc attack methods, used to generate DNS request payloads."

😂🤣