this post was submitted on 13 Sep 2024
101 points (98.1% liked)

Cybersecurity

5728 readers
107 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
 

Infection corrals devices running AOSP-based firmware into a botnet.

top 12 comments
sorted by: hot top controversial new old
[–] reddig33@lemmy.world 40 points 2 months ago (1 children)

Gee, I bought this cheap made in China Android TV thing off Ali express, and I just can’t figure out how this backdoor got in here…

[–] pastermil@sh.itjust.works 6 points 2 months ago (1 children)

Oop.. They got my printer now.

[–] hemmes@lemmy.world 2 points 2 months ago

And my axe!

[–] BoyetLeonantus@sh.itjust.works 15 points 2 months ago (2 children)

RethinkDNS (available on F-Droid) has a mode where it blocks every connection by default and you have to allow each app to access the network. I used that to effectively disable the pre-installed malware on my Android TV box (X88 Pro iirc). It also has DNS and connection logs to check network traffic (can be a lot though). GlassWire (Play Store) is nice to quickly check for an unexpected amount of network traffic. Not sure if there's ways around that, but it worked in my case a while ago.

[–] treadful@lemmy.zip 6 points 2 months ago

These tools look amazing. Thanks for sharing.

Here's a link for those interested: https://rethinkdns.com/

[–] Cheradenine@sh.itjust.works 2 points 2 months ago

The logs are searchable by app, IP , and domain, so that helps a lot.

[–] Dagnet@lemmy.world 5 points 2 months ago (1 children)

I have a MiBox, I wonder if its vulnerable

[–] pandapoo@sh.itjust.works 7 points 2 months ago (1 children)

I'm guessing very few, if any, Play Store certified devices are on that list. Unless Google has really laxed requirements.

Either way, Xaomi devices might get a CCP backdoor, but probably not an ordinary botnet like this.

[–] Dagnet@lemmy.world 2 points 2 months ago (1 children)

So no talking about how awesome Taiwan is near my tv huh

[–] pandapoo@sh.itjust.works 3 points 2 months ago* (last edited 2 months ago)

Xaomi is a good brand, until proven otherwise.

I was just giving a broad disclaimer, but mostly I was trying to highlight that they aren't some random shady white box OEM that gets re-sold under 72 different brand names.

They are a well established brand that produces quality products, that happens to be based in China, and therefore subject to Chinese laws and regulations.

[–] ptz@dubvee.org 4 points 2 months ago

Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

It's ArsTechnica, so I wouldn't think they're intentionally spreading FUD around FOSS, but that bit did live a bad taste in my mouth.

[–] dingdongitsabear@lemmy.ml 2 points 2 months ago

this is a nothing-burger. the same "article" from days ago, rehashing the same bullshit, quoting a totally unknown security researcher firm (that, conveniently, also sells some turd that's gonna rid you of this scourge) with zero details, followed with less than zero fact checking from arse technica, like how did they establish the 1.3 milsky number, the "infection" vector and other similarly "unimportant" shit.

portals like the mentioned arse thing are hungry for content and are willing to publish any old thing that even resembles quality content. keep your eyes open, your wits about you, and question everything.