{"id":57109,"date":"2024-09-16T13:57:26","date_gmt":"2024-09-16T13:57:26","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36339\/1.3-Million-Android-Based-TV-Boxes-Backdoored.html"},"modified":"2024-09-16T13:57:26","modified_gmt":"2024-09-16T13:57:26","slug":"1-3-million-android-based-tv-boxes-backdoored","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/","title":{"rendered":"1.3 Million Android-Based TV Boxes Backdoored"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/streaming-tv-800x526.jpg\" alt=\"1.3 million Android-based TV boxes backdoored; researchers still don\u2019t know how\"><figcaption class=\"caption\">\n<div class=\"caption-credit\">Getty Images<\/div>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/security\/2024\/09\/researchers-still-dont-know-how-1-3-million-android-streaming-boxes-were-backdoored\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">98<\/span> <\/a> <\/aside>\n<p> <!-- cache hit 34:single\/related:9b814931aa60c865a1a232632caa32ab --><!-- empty --><\/p>\n<p>Researchers still don\u2019t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.<\/p>\n<p>Security firm Doctor Web <a href=\"https:\/\/news.drweb.com\/show\/?i=14900&amp;lng=en\">reported Thursday<\/a> that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.<\/p>\n<h2>Dozens of variants<\/h2>\n<p>Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.<\/p>\n<p>\u201cAt the moment, the source of the TV boxes\u2019 backdoor infection remains unknown,\u201d Thursday\u2019s post stated. \u201cOne possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.\u201d<\/p>\n<p>The following device models infected by Vo1d are:<\/p>\n<table class=\"Table\">\n<thead>\n<tr>\n<th>TV box model<\/th>\n<th>Declared firmware version<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>R4<\/td>\n<td>Android 7.1.2; R4 Build\/NHG47K<\/td>\n<\/tr>\n<tr>\n<td>TV BOX<\/td>\n<td>Android 12.1; TV BOX Build\/NHG47K<\/td>\n<\/tr>\n<tr>\n<td>KJ-SMART4KVIP<\/td>\n<td>Android 10.1; KJ-SMART4KVIP Build\/NHG47K<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What\u2019s more, Doctor Web said it\u2019s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.<\/p>\n<p>Further, while only licensed device makers are permitted to modify Google\u2019s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.<\/p>\n<p>\u201cThese off-brand devices discovered to be infected were not <a href=\"https:\/\/support.google.com\/androidtv\/thread\/217840369\/ensuring-your-android-tv-os-device-is-secure?hl=en\">Play Protect certified Android devices<\/a>,\u201d Google said in a statement. \u201cIf a device isn&#8217;t Play Protect certified, Google doesn\u2019t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.\u201d<\/p>\n<p>The statement said people can confirm a device runs Android TV OS by checking <a href=\"https:\/\/www.android.com\/tv\/\">this link<\/a> and following the steps listed <a href=\"https:\/\/support.google.com\/googleplay\/answer\/7165974\">here<\/a>.<\/p>\n<p>Doctor Web said that there are dozens of Vo1d variants that use different code and plant malware in slightly different storage areas, but that all achieve the same end result of connecting to an attacker-controlled server and installing a final component that can install additional malware when instructed. VirusTotal shows that most of the Vo1d variants were first uploaded to the malware identification site several months ago.<\/p>\n<p>Researchers wrote:<\/p>\n<blockquote>\n<p>All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:<\/p>\n<ul>\n<li><span class=\"string\">install-recovery.sh<\/span><\/li>\n<li><span class=\"string\">daemonsu<\/span><\/li>\n<\/ul>\n<p>In addition, 4 new files emerged in its file system:<\/p>\n<ul>\n<li><span class=\"string\">\/system\/xbin\/vo1d<\/span><\/li>\n<li><span class=\"string\">\/system\/xbin\/wd<\/span><\/li>\n<li><span class=\"string\">\/system\/bin\/debuggerd<\/span><\/li>\n<li><span class=\"string\">\/system\/bin\/debuggerd_real<\/span><\/li>\n<\/ul>\n<p>The <span class=\"string\">vo1d<\/span> and <span class=\"string\">wd<\/span> files are the components of the <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d&amp;lng=en\"><b>Android.Vo1d<\/b><\/a> trojan that we discovered.<\/p>\n<blockquote>\n<p>The trojan\u2019s authors probably tried to disguise one if its components as the system program \/system\/bin\/vold, having called it by the similar-looking name \u201cvo1d\u201d (substituting the lowercase letter \u201cl\u201d with the number \u201c1\u201d). The malicious program\u2019s name comes from the name of this file. Moreover, this spelling is consonant with the English word \u201cvoid\u201d.<\/p>\n<\/blockquote>\n<p>The <span class=\"string\">install-recovery.sh<\/span> file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the <span class=\"string\">\/system<\/span> system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d&amp;lng=en\"><b>Android.Vo1d<\/b><\/a> has registered the autostart for the <span class=\"string\">wd<\/span> component in this file.<\/p>\n<figure class=\"image shortcode-img center full\"><img loading=\"lazy\" decoding=\"async\" alt=\"The modified install-recovery.sh file\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/01_recovery.png\" width=\"533\" height=\"388\"><figcaption class=\"caption\">\n<div class=\"caption-text\">The modified install-recovery.sh file<\/div>\n<div class=\"caption-credit\">Doctor Web<\/div>\n<\/figcaption><\/figure>\n<p>The <span class=\"string\">daemonsu<\/span> file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d&amp;lng=en\"><b>Android.Vo1d<\/b><\/a> registered itself in this file, too, having also set up autostart for the <span class=\"string\">wd<\/span> module.<\/p>\n<p>The <span class=\"string\">debuggerd<\/span> file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the <span class=\"string\">wd<\/span> component.<\/p>\n<p>The <span class=\"string\">debuggerd_real<\/span> file in the case we are reviewing is a copy of the script that was used to substitute the real <span class=\"string\">debuggerd<\/span> file. Doctor Web experts believe that the trojan\u2019s authors intended the original <span class=\"string\">debuggerd<\/span> to be moved into <span class=\"string\">debuggerd_real<\/span> to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real <span class=\"string\">debuggerd<\/span> program file.<\/p>\n<p>At the same time, other users who contacted us had a slightly different list of files on their infected devices:<\/p>\n<ul>\n<li><span class=\"string\">daemonsu<\/span> (the <span class=\"string\">vo1d<\/span> file analogue \u2014 <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.1&amp;lng=en\"><b>Android.Vo1d.1<\/b><\/a>);<\/li>\n<li><span class=\"string\">wd<\/span> (<a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.3&amp;lng=en\"><b>Android.Vo1d.3<\/b><\/a>);<\/li>\n<li><span class=\"string\">debuggerd<\/span> (the same script as described above);<\/li>\n<li><span class=\"string\">debuggerd_real<\/span> (the original file of the <span class=\"string\">debuggerd<\/span> tool);<\/li>\n<li><span class=\"string\">install-recovery.sh<\/span> (a script that loads objects specified in it).<\/li>\n<\/ul>\n<p>An analysis of all the aforementioned files showed that in order to anchor <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d%20in%20the&amp;lng=en\"><b>Android.Vo1d in the<\/b><\/a> system, its authors used at least three different methods: modification of the <span class=\"string\">install-recovery.sh<\/span> and <span class=\"string\">daemonsu<\/span> files and substitution of the <span class=\"string\">debuggerd<\/span> program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan\u2019s successful auto launch during subsequent device reboots.<\/p>\n<p><a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d&amp;lng=en\"><b>Android.Vo1d<\/b><\/a>\u2019s main functionality is concealed in its <span class=\"string\">vo1d<\/span> (<a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.1&amp;lng=en\"><b>Android.Vo1d.1<\/b><\/a>) and <span class=\"string\">wd<\/span> (<a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.3&amp;lng=en\"><b>Android.Vo1d.3<\/b><\/a>) components, which operate in tandem. The <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.1&amp;lng=en\"><b>Android.Vo1d.1<\/b><\/a> module is responsible for <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.3&amp;lng=en\"><b>Android.Vo1d.3<\/b><\/a>\u2019s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&amp;C server. In turn, the <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.3&amp;lng=en\"><b>Android.Vo1d.3<\/b><\/a> module installs and launches the <a href=\"https:\/\/vms.drweb.com\/search\/?q=Android.Vo1d.5&amp;lng=en\"><b>Android.Vo1d.5<\/b><\/a> daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.<\/p>\n<\/blockquote>\n<p>The geographic distribution of the infections is wide, with the biggest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/android.Vo1d_map_en.png\" class=\"enlarge\" data-height=\"588\" data-width=\"1024\" alt=\"A world map listing the number of infections found in various countries.\"><img loading=\"lazy\" decoding=\"async\" alt=\"A world map listing the number of infections found in various countries.\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/android.Vo1d_map_en-640x368.png\" width=\"640\" height=\"368\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/android.Vo1d_map_en.png 2x\"><\/a><figcaption class=\"caption\">\n<div class=\"caption-text\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/android.Vo1d_map_en.png\" class=\"enlarge-link\" data-height=\"588\" data-width=\"1024\">Enlarge<\/a> <span class=\"sep\">\/<\/span> A world map listing the number of infections found in various countries.<\/div>\n<div class=\"caption-credit\">Doctor Web<\/div>\n<\/figcaption><\/figure>\n<p>It\u2019s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise <a href=\"https:\/\/github.com\/DoctorWebLtd\/malware-iocs\/blob\/master\/Android.Vo1d\/README.adoc\">here<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/36339\/1.3-Million-Android-Based-TV-Boxes-Backdoored.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":57110,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[11043],"class_list":["post-57109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackerprivacymalwarebackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>1.3 Million Android-Based TV Boxes Backdoored 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"1.3 Million Android-Based TV Boxes Backdoored 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-16T13:57:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/streaming-tv-800x526.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"1.3 Million Android-Based TV Boxes Backdoored\",\"datePublished\":\"2024-09-16T13:57:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/\"},\"wordCount\":1256,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/1-3-million-android-based-tv-boxes-backdoored.jpg\",\"keywords\":[\"headline,hacker,privacy,malware,backdoor\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/\",\"name\":\"1.3 Million Android-Based TV Boxes Backdoored 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/1-3-million-android-based-tv-boxes-backdoored.jpg\",\"datePublished\":\"2024-09-16T13:57:26+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/1-3-million-android-based-tv-boxes-backdoored.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/1-3-million-android-based-tv-boxes-backdoored.jpg\",\"width\":800,\"height\":526},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-3-million-android-based-tv-boxes-backdoored\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,privacy,malware,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerprivacymalwarebackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"1.3 Million Android-Based TV Boxes Backdoored\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"1.3 Million Android-Based TV Boxes Backdoored 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/","og_locale":"en_US","og_type":"article","og_title":"1.3 Million Android-Based TV Boxes Backdoored 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-16T13:57:26+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/streaming-tv-800x526.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"1.3 Million Android-Based TV Boxes Backdoored","datePublished":"2024-09-16T13:57:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/"},"wordCount":1256,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/1-3-million-android-based-tv-boxes-backdoored.jpg","keywords":["headline,hacker,privacy,malware,backdoor"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/","url":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/","name":"1.3 Million Android-Based TV Boxes Backdoored 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/1-3-million-android-based-tv-boxes-backdoored.jpg","datePublished":"2024-09-16T13:57:26+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/1-3-million-android-based-tv-boxes-backdoored.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/1-3-million-android-based-tv-boxes-backdoored.jpg","width":800,"height":526},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/1-3-million-android-based-tv-boxes-backdoored\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,privacy,malware,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerprivacymalwarebackdoor\/"},{"@type":"ListItem","position":3,"name":"1.3 Million Android-Based TV Boxes Backdoored"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57109"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57109\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/57110"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}