On October 30th, Cloudfare data identified a strange website that briefly surpassed Google as the most popular website globally. However, it wasn’t a website at all – It was a massive command-and-control server that was controlling at least 1.8 million Android devices in order to use them for nefarious purposes.
Known as Kimwolf, the botnet is now considered to be the largest of its kind (so far) and shares codebase with the previous recordbreaker, Aisuru. Though both botnets use malware to infect vulnerable devices and rely on an APK file to load and start during runtime, the threat actors learned from Aisuru and included additional features in Kimwolf to better evade detection. Capable of various malicious activities including typical DDoS attacks, it also uses proxy forwarding which allows the attackers to conceal their location and lets them bypass IP-based geo-restrictions and blacklists.
There’s also a reverse shell in the malware which gives the attackers command line access to the infected devices. This means they can run arbitrary commands or deploy additional malware on compromised devices. Likewise, they can also upload, download or modify files between devices.
Researchers at Xlab infiltrated the Kimwolf botnet in order to learn more about how it works and its scale. According to their findings, it appears to target Android devices, specifically those that are not certified by Google – which lack the search giant's extra protections like dirt cheap set top boxes and tablets.
Xlab says the Kimwolf botnet seems to consist of infected Android tv boxes on residential networks distributed across 222 countries. Their IP addresses are located in Brazil (14%), India (12.7%), and the United States (9.5%) with the remainder in (respectively) Argentina, South Africa, the Philippines, Mexico and China.
How to avoid becoming mixed up in a botnet
The recommendations here are simple: Users should avoid purchasing uncertified, off-brand Android devices, set strong passwords, update their firmware as soon as possible, and only download apps from known and trusted developers.
If you wants to stay safe, don't buy AOSP-based Android devices like off-brand TV boxes that lack official Google Play Services support. Additionally, always keep your firmware updated and install the latest security patches as soon as they become available on whichever of the best streaming devices you're currently using.
Google spokespeople have frequently advised us that "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Users should ensure Google Play Protect, Android’s malware protection that is one by default on devices with Google Play Services, is enabled.”
At the same time, you also want to avoid sideloading apps and stick to only using ones from the Google Play Store and other official app stores. Likewise, Android TV devices can have their remote access features disabled when not in use, which takes them offline. This can provide an extra layer of security to help protect your devices and the data on them if they've unknowingly become part of a botnet
It might also be worth investing in one of the best Wi-Fi routers or the best mesh Wi-Fi systems with security software built-in. While the best antivirus software can keep your PC safe from malware, network-wide security solutions like Netgear's Armor or TP-Link's HomeShield protect all of the devices connected to your home network from viruses and other threats. If you want our recommendation for the best official Android TV box out there, we still really like the Nvidia Shield (even though it's an older model).
What if you do own a cheap Android set top box?
If you've picked up a cheap, unofficial Android set top box and are worried about it becoming infected with malware, you definitely should be. We've covered this several times in the past and I wouldn't recommend buying one of these devices over say, a Google TV Streamer or if you're on a budget, an Onn Google TV like the Onn 4K Plus. However, if you've paid good money for an unofficial Android set top box, you're not completely out of luck.
If you head to the Google Play Store on either the device itself or on your phone or computer, you can download the ESET Smart TV Security app for free though there is a paid version as well. It lets you run manual scans for malware at any time and like Google Play Protect on one of the best Android phones, monitors any new apps you install for malware and other threats.
Now if you have some extra cash, the paid version takes things a step further with scheduled scans and anti-phishing protection at a very reasonable price of $1-3 per month or $15-20 for the year for a single device. Likewise, you can pick up one of the more advanced ESET Home plans which includes the premium version of Smart TV Security.
This should keep you safe and hold you over until your next upgrade. At which time, I highly recommend getting an official Android set top box instead.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
