Sketchy ‘Android TV’ boxes are unsurprisingly filled with malware – What to look for instead

Ben Schoon | May 19 2023 - 7:03 am PT

“Android TV” has essentially two meanings on the market today. There’s the official Android TV OS by Google, which powers TV sets, streaming dongles, and set-top boxes, and then there’s Android, but on a TV. The difference is critical to how your experience will go, and if you care about your security at all, you should avoid the latter at all costs.

The problem with sketchy Android TV boxes

It doesn’t take much to find sketchy devices that call themselves “Android TV” boxes across Amazon and other major marketplaces. Often, these boxes advertise high-quality output, strong specs, and the ability to run apps like Kodi, often for accessing “free” but typically less-than-legal content. But regardless of what you want to buy these boxes for, there are some major things to watch out for.

First and foremost, there’s the issue of security.

As was discovered earlier this year, one popular “Android TV” box on Amazon was found to be sold with malware on board. The device also pulled additional payloads of malicious content from the web once hooked up to your network. This week, the folks over at Linus Tech Tips published a video digging into several other popular “Android TV” boxes sold online and found that all of those boxes had effectively the same framework in place for malware to flourish and, potentially, do some actually damage to your information or other devices on your network.

Beyond that issue, there are other potential problems with buying these boxes. The Android builds on board often will not be updated, leaving the door open for even a relatively “clean” device to be infected by bad actors taking advantage of security holes patched in later Android releases.

As shown in the LTT video, there’s also no guarantee that what the listing says is actually what you’re buying. Multiple boxes tested had less RAM available than advertised, and some couldn’t output the 4K resolution they were advertised with, even locked as low as 720p.

Update 5/19: TechCrunch is also now shining a spotlight on this same story, with EFF security researcher Bill Budington having since confirmed the presence of malware on popular “Android TV” boxes from AllWinner and Rockchip on Amazon.

The outlet has also asked Amazon directly why these boxes are allowed to be sold, to which the retailer declined to comment on both if Amazon reviews the security of devices on its marketplace or if the retailer has any plans to remove these devices that are clearly packed with dangerous software.

Now several months after these issues initially came out and now this latest wave of reporting on the issue, these boxes remain for sale on Amazon.

Does that all mean you should never buy an “Android TV” box? No, but you need to be careful when choosing what to buy.

Android TV OS vs. Android on a TV – The differences to look for

As mentioned at the outset, there are two forms of “Android TV.” In the case of sketchy boxes, you’re looking at Android but on a TV. These devices are generally running a forked version of Android, modified from Android’s open-source code. They’re rarely certified by Google, and every piece of software on board is either modified or hacked into place.

On the other hand, there’s Android TV OS. That’s a legitimate offering that comes directly from Google.

Android TV OS is the framework that sits beneath the Android TV experience, Google TV experience, and the customized experiences built out by Pay TV providers. We recently covered the deep history of Android TV, including how it became Google TV.

The short version is that, when buying an “Android TV” device, you’ll want to look for these key points:

The Play Store is installed with other Google apps.
The homescreen looks like one of the two designs below.
Look for signs of Google Assistant.
Android TV OS devices rarely have complicated remotes.

It’s not uncommon for a sketchy “Android TV” box to include support for the Play Store, but this is often hacked into place after the fact. One thing that helps show that you’re getting a legitimate offering is that other Google apps, such as YouTube, are also installed. Netflix is also generally installed on official Android TV OS devices.

You’ll also want to look at the homescreen. Android TV OS in 2023 has one of two appearances on consumer devices, both of which can be seen below. They might be tweaked in small ways, but on the whole, your device should have something nearly identical to these.

Google Assistant is another key sign that an Android TV device is legitimate. Google Assistant on Android TV OS devices will have a shortcut on the remote and appear along the bottom or the top of the UI, with the Assistant logo in full view.

And finally, another clear sign is often as simple as the remote. Official Android TV OS devices almost exclusively ship with fairly simple remotes. On Chromecast with Google TV, there are only eight buttons and a D-Pad. The same is true of the Nvidia Shield TV and others. Anything with additional buttons usually just includes a number pad for channel entry. This isn’t necessarily true for TV sets but will often be the case for set-top boxes and streaming dongles.