PrePw0n3d Android TV Sticks: A Cybersecurity Nightmare

By: Karrie Westmoreland

The rise of affordable Android TV sticks has made streaming more accessible than ever. However, cybersecurity experts have uncovered a disturbing trend: some of these devices come prepw0n3d—pre-infected with malware straight from the factory. These compromised streaming devices pose a serious risk, capable of stealing personal data, mining cryptocurrency, and even integrating into large-scale botnets. Estimates of infected devices world-wide are between 1 and 8 million devices representing a very real and serious threat. 

"PrePw0n3d" (a play on "pwned," meaning "compromised") refers to Android TV devices that arrive pre-infected with malware or backdoors. These devices are often mass-produced by lesser-known manufacturers, sold at low prices, and marketed as affordable alternatives to official Google-certified Android TV products. 

Users may unknowingly install these malicious devices in their homes, putting their personal data, banking credentials, and even entire home networks at risk. 

​The issue of pre-infected Android TV sticks is alarmingly widespread. In 2023, researchers uncovered that over 1 million Android-based devices, including TV streaming boxes, were compromised with malware, forming part of a botnet used for cybercrime activities. Additionally, a cybercrime organization known as the Lemon Group pre-infected over 8.9 million Android devices, encompassing smartphones, watches, televisions, and more, with the Guerilla malware. Furthermore, the Vo1d malware has infected approximately 1.3 million Android-based TV boxes across 197 countries, acting as a backdoor for unauthorized software installations. These figures highlight the extensive scale of the problem, emphasizing the critical need for consumers to exercise caution when purchasing and using Android TV devices. 

Many budget Android TV sticks are infected at the firmware level before they even reach the consumer. This can happen through: 

• Supply Chain Attacks – Malware is embedded during manufacturing. 

• Pre-Installed Rogue Apps – Fake system apps disguise malicious payloads and execute background tasks. 

• Backdoor Access – Hidden tools allow attackers to remotely control the device. 

Researchers have found malware like Triada Trojan, DroidJack, and AndroRAT preloaded on some of these devices, enabling attackers to execute commands remotely, steal data, and even use the devices for cyberattacks. 

1. Backdoor Access & Remote Control

Many infected devices contain hidden backdoors that allow remote execution of commands: 

• Modified System Binaries – Malware is embedded into critical system files (e.g., system_server, adb). 

• Remote Access Tools (RATs) – Attackers can control the device, steal files, or activate microphones and cameras. 

• Hidden WebSockets & SSH Tunnels – These enable encrypted communication between the device and an attacker’s command-and-control (C2) server. 
  

2. Ad Fraud & Click Injection

Some prepw0n3d devices participate in large-scale ad fraud campaigns, which include: 

• Click Bots – The malware interacts with ads in the background to generate fake revenue. 

• Invisible Ad Overlays – Ads are displayed in hidden layers, tricking advertisers into paying for fake impressions. 

• Proxy Network Abuse – The device routes fraudulent traffic, making it appear like real user activity. 

Malware strains like Joker, Triada, and Guerilla have been linked to such fraud schemes. 

3. Cryptojacking (Hidden Cryptocurrency Mining)

Some compromised devices hijack system resources for cryptocurrency mining, causing: 

• High CPU Usage – Slows down device performance. 

• Overheating Risks – Extended mining can physically damage hardware. 

• Wi-Fi & Data Drain – Mining pools constantly communicate over the network, increasing bandwidth consumption. 

4. Credential & Data Theft

Pre-installed malware can steal sensitive information, such as: 

• Google & Streaming Service Logins – Malware extracts credentials stored in system files. 

• Clipboard Sniffing – Captures copied passwords and cryptocurrency wallet addresses. 

• Wi-Fi Credential Harvesting – Attackers steal saved Wi-Fi passwords, allowing lateral movement into other devices on the network. 

5. Botnet Recruitment & DDoS Attacks

Many prepw0n3d TV sticks become zombies in a botnet, controlled by cybercriminals to: 

• Launch DDoS Attacks – Devices flood targets with traffic, overwhelming servers. 

• Act as SOCKS5 Proxies – Hacked devices route malicious traffic, masking the attacker’s identity. 

• C2 (Command & Control) Beaconing – Malware receives new instructions dynamically, making it adaptable. 

Some devices have even been found running Mirai-based malware, a botnet strain responsible for massive cyberattacks. 

6. Firmware-Level Persistence & Rootkits

Pre-infected devices often have persistent malware, meaning it survives factory resets: 

• Bootloader Tampering – Malware is injected into the recovery partition, reinstalling itself after a reset. 

• System Service Hijacking – Malware-laced processes (zygote, init) start automatically at boot. 

• Encrypted Payload Updates – The malware updates itself remotely, evolving over time. 

A notorious example is xHelper, a highly persistent Android Trojan that reinstalls itself even after a factory reset. 

Case 1: The Triada Trojan Incident 

Security researchers discovered Android TV sticks preloaded with Triada, a powerful malware capable of: 

• Installing additional payloads 
• Stealing login credentials
• Displaying intrusive ads 

Even factory resets couldn’t remove the malware because it was embedded into the device’s firmware. 

​The Triada Trojan is a sophisticated piece of Android malware that has evolved significantly since its discovery in 2016. Initially, Triada exploited root privileges to infiltrate device processes, but it later adapted to become a pre-installed threat on certain devices. One of its primary tactics involves injecting malicious code into the Zygote process—a core process in Android responsible for launching applications. By compromising Zygote, Triada ensures that its code is executed within every app initiated on the device, granting it extensive control and the ability to monitor user activities across all applications. ​geeksforgeeks.org+1kaspersky.com+1attack.mitre.org+2kaspersky.com+2usa.kaspersky.com+2 

To achieve this, Triada modifies system libraries and binaries, embedding its components deeply within the operating system. This manipulation allows the malware to intercept data, such as SMS messages, and redirect financial transactions without user consent. Furthermore, Triada employs techniques to hide its presence by altering system functions, making it invisible in the list of running processes and installed applications.  

Case 2: The Badbox Botnet 

The cybersecurity firm Human Security uncovered a botnet named Badbox, where infected Android TV sticks were used for: 

✔ Ad fraud campaigns 
✔ Data theft 
✔ Large-scale cyberattacks 

These devices were actively communicating with attacker-controlled servers, executing malicious tasks in real time. 

​The BadBox botnet represents a significant cybersecurity threat, leveraging compromised Android devices to facilitate various malicious activities. Initially identified in 2023, BadBox has evolved, infecting a diverse array of devices and expanding its global footprint.​  

Infection Vectors and Scope 

BadBox primarily targets Android-based devices, including TV streaming boxes, tablets, projectors, and car infotainment systems. In many instances, the malware is pre-installed during the manufacturing process, often affecting low-cost, off-brand devices. However, recent findings indicate that high-end models, such as Yandex 4K QLED Smart TVs and Hisense smartphones, have also been compromised, suggesting that the issue extends beyond just low-cost electronics. ​  

The botnet's scale is alarming. As of early 2025, over 1 million devices across 222 countries have been infected, with significant concentrations in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%). ​  

Malware Capabilities and Operations 

Once a device is compromised, BadBox can perform several malicious activities:​  

• Residential Proxy Services: Infected devices are used as residential proxies, routing malicious traffic through them to mask the origin of cyberattacks. ​  

• Ad Fraud: The botnet generates fake ad impressions and redirects users to low-quality domains, defrauding advertisers and generating illicit revenue. ​  

• Credential Stuffing: BadBox utilizes the compromised devices to automate login attempts on various platforms, exploiting reused or weak passwords. ​  

Detecting BadBox is challenging due to its deep integration into device firmware. Users may notice unusual device behavior, such as increased data usage or degraded performance. To mitigate the threat, collaborative efforts have been undertaken:​ 

• App Removal: Google has removed 24 malicious apps from the Play Store associated with BadBox and implemented Play Protect enforcement to warn users against installing related applications. ​  

• Infrastructure Disruption: Organizations like Trend Micro and Shadowserver have collaborated to sinkhole communications, disrupting the botnet's control over infected devices. ​  

To protect against BadBox infections: 

• Purchase Devices from Reputable Sources: Avoid low-cost, off-brand devices that may be more susceptible to supply chain compromises.​  

• Keep Firmware Updated: Regularly update device firmware to patch known vulnerabilities.​ 

• Monitor Network Activity: Be vigilant for unusual network traffic that could indicate malicious activity.​ 

The BadBox botnet underscores the critical need for enhanced supply chain security and user awareness to mitigate the risks posed by such pervasive threats.​ 

• Buy from Reputable Sources – Stick to trusted brands and official resellers.
• Check for Suspicious Apps – Use security tools to scan for pre-installed malware.
• Reflash the Firmware – Install a clean version of Android TV firmware (if available).
• Monitor Network Activity – Watch for unusual outbound connections.
• Use a Firewall or Router Rules – Block unauthorized traffic at the network level.
   
  

• NetGuard – Monitors and blocks suspicious network activity. 

• AFWall+ – Provides granular firewall control over app connectivity. 

• VirusTotal – Checks for known malware signatures. 

• Wireshark – Analyzes network traffic for unusual behavior. 

The rise of pre-infected Android TV sticks highlights a growing cybersecurity crisis, where malicious software is embedded into devices before they even reach consumers. With botnets like BadBox, persistent threats like Triada and xHelper, and large-scale malware campaigns infecting millions of devices globally, the risks are no longer hypothetical—they are real and widespread. 

• Massive Scale – Over 1 million Android devices are already compromised worldwide, with infections spanning TV sticks, smartphones, and smart devices. 
• Stealthy Malware – Threats like Triada modify system processes, while xHelper survives factory resets, making removal difficult. 
  
• Botnet Integration – Many infected devices become part of global cybercriminal networks, used for ad fraud, credential theft, and DDoS attacks. 
  
• Cryptojacking & Data Theft – Some malware drains system resources for crypto mining, while others steal login credentials and Wi-Fi passwords. 
  
• Supply Chain Corruption – Many of these threats originate before purchase, meaning consumers may be compromised the moment they power on their device. 

The best defense against prepw0n3d devices is proactive security awareness. Consumers should: 

• Buy from reputable brands and authorized retailers to avoid malware-laden devices.
• Regularly update firmware and check for suspicious pre-installed apps.
• Monitor network traffic for unusual activity that could indicate infection.
• Reflash firmware if possible to remove factory-installed malware. 

Cheap, off-brand Android TV sticks may seem like a great deal, but they could come at the cost of your privacy, security, and even financial safety. By choosing trusted sources and staying vigilant, users can protect themselves from becoming part of a global cybercrime ecosystem. 

Cyber threats evolve daily, staying informed is the best way to stay safe.