Google warns about unofficial Android TV boxes, offers tips on how to spot one

Mecool HomePlus KA1 remote
(Image credit: Jay Bonggolto / Android Central)

What you need to know

  • Google responds to reports of insecure Android TV boxes sold online.
  • The search engine giant warns that some of these devices may include Google apps that are not Play Protect certified.
  • Google offers a simple method for determining whether your set-top box is secure.

Google has finally addressed reports of malware-laden Android TV boxes being sold online, saying some of these devices may include apps not licensed by Google.

Earlier this year, Daniel Milisic, a Canadian security consultant, found that an Android TV box he purchased from Amazon was laced with malware designed to generate revenue by clicking on ads in the background (via Bleeping Computer). For the average user, this clandestine activity won't be easy to figure out.

The device in question was the AllWinner T95, which boasts four-out-of-five-star ratings and numerous positive reviews (via TechCrunch). The TV box also allows for customization and includes various streaming services, like many of the leading Android TV boxes. The best part is that it only retails for $40.

However, it was discovered that the set-top box was communicating with a command and control server, awaiting further instructions. Milisic found that the device was connecting to a wider botnet that was spread all over the world. Further investigation revealed that it had been infected with a clickbot, which is used in ad-click fraud campaigns.

Aside from the above-mentioned Android TV box, Electronic Frontier Foundation researcher Bill Budington separately mentioned other models that do the same fraudulent activity, such as the AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10.

"We have recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices," Google states in an Android TV community post. "Some of them may also come with Google apps and the Play Store that are not licensed by Google, which means that these devices are not Play Protect certified."

Devices built with AOSP can technically ship with Google apps even without a license from Google. The search giant urges users to verify whether their Android TV box is Play Protect certified by visiting this web page, where a complete list of its partners can be found. If your device is from an OEM that isn't on the list, it hasn't passed Google's security and compatibility tests.

You can also check your box's Play Protect certification status by opening the Google Play Store app and clicking the profile icon in the upper right corner. Finally, tap "Play Protect" to see if your device is certified for Play Protect.

Jay Bonggolto
News Writer & Reviewer

Jay Bonggolto always keeps a nose for news. He has been writing about consumer tech and apps for as long as he can remember, and he has used a variety of Android phones since falling in love with Jelly Bean. Send him a direct message via Twitter or LinkedIn.