@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
Discussion
Loading...
Post
@briankrebs I think the "Overseas Use Only" is because a device for use in China would have to comply with the Great Firewall and not try to connect you to streaming services that are banned in China.
@briankrebs As easy as it is to hate on China, let's please recheck. They are behind their firewall that renders anything unusable or at least close to unusable that is connecting from outside to inside and vice versa.
Not that cheap TV boxes are to be expected high quality, that is.
@CyReVolt Okay. Everyone here is such an expert. Can't wait for next year.
@briankrebs Interestingly enough, you also find that kind of label on some American foods. "For sale only in the United States, overseas territories, and military bases". Surely WE'RE not the botnet.... are we??
@briankrebs You're right, all chinese made TVs should block youtube, all things google, wikipedia, yandex video, twitch and all things amazon by default, just like they have to in mainland china.
@briankrebs Also, a brief list of TV networks that should not be viewable on any chinese made TV:
ABC, ABC (au), CBC, All BBC channels, NBC, HBO, Bloomberg, WION, TIME and so on.
I guess what I'm saying is that this is the stupidest fucking take out of all the stupid takes you've ever had.
@briankrebs don't worry, America has been doing the same and releasing software and hardware with backdoors in it to everyone for decades.
@briankrebs Fairly interesting too that according to "reports" some AndroidTVs have not had a software update in ages. I'm yet to make a fuss about it but...
@briankrebs The cited article makes this sound more like the boxes get infected with something through post-purchase install.
The TVs that are packaged for overseas have the software for overseas that includes access to stuff that their own citizens are not allowed to access. The main google app stores and such.
Stuff like CE and FCC marks are for the whole package. Software included.
The botnet is a worry and these things are NOT secure, but this stamp doesn't say anything worrisome for us
Page won't load for me. archive.org to the rescue : https://web.archive.org/web/20251221132941/https://blog.xlab.qianxin.com/kimwolf-botnet-en/
"Investigations found that the author of Kimwolf shows an almost "obsessive" fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple samples.
For example, in sample 2078af54891b32ea0b1d1bf08b552fe8, the domain fuckbriankrebs[.]com is embedded in both its udp_dns and mc_enc attack methods, used to generate DNS request payloads."
😂🤣
@briankrebs I looked through the article, but I don't see how China-produced products are related to this botnet. Doesn't the malware focus on Android streaming boxes regardless of where they were produced? As far as I can see, the article didn't link the botnet to China either. (There are genuine questions btw.)
telling people to waste perfectly good TV boxes that can run Linux is absolutely the wrong takeaway
@burnoutqueen ok. that's fine. I recognize there are some people who think piracy is a right and anyone saying otherwise is ill-informed, a tech noob, or a fear monger.
You should stick to something safe, like an Amazon Firestick.
They're made in...
China!
https://www.accio.com/supplier/amazon-fire-stick-manufacturer
@briankrebs@infosec.exchange
I do find it funny that "FOR OVERSEAS ONLY" is written in ENGLISH and not Mandarin. You would think if a product was not designed for the Chinese market, would warn the Chinese that the product is for export only, in Chinese. Most Chinese are not bilingual. LOL.
@briankrebs Krebs is on mastodon! Awesome! Following.
@briankrebs How do those devices (along with all the fridges and IOT cameras that make up most botnets) get infected? Aren't most of them behind NAT? I understand "default passwords", but for that to be a problem, there has to be a way for the attacker to connect to a device in the first place, and that is the part I don't get.
@miki this is the subject of my reporting in the New Year. Stay tuned.
@briankrebs I don't think China is a country. I think it's a stateless territory infested by a criminal communist terrorist organization whose kingpin is Xi Jin Ping.
@briankrebs I don’t own one but my understanding is that these Android TV boxes are typically used for watching pirated content. I can’t see any company putting heavy efforts into the security of their product when it’s used for this purpose. Whether they’re intended to be a Trojan horse or not, the risk their use brings is too high in my humble opinion and I agree with Brian, they should be binned.
@briankrebs Evidence that "these things are responsible for building out a botnet that currently has ~2M devices and is growing rapidly"?
@clock are you asking for evidence? Read the story I linked from XLAB.
@briankrebs You seem to be implying this violates some chinese security regulations and isn't approved for domestic sale, but the much more likely explanation is that these boxes are banned in China due to state media control concerns: https://www.ibtimes.com/china-cracks-down-set-top-box-market-bans-popular-streaming-apps-2189776
@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
@jschwart AFAIK, there's no way to use these devices securely.
@briankrebs it's not clear to me why replacing the entire software wouldn't make them secure.
It might possibly even work to simply kill the offending applications. I have a very cheap box (was around $25) which became quiet with regards to traffic after I stopped various applications (mainly a torrent one that was there with a preconfigured torrent was establishing a lot of connections).
When I insert an SD card with Armbian, it just boots that instead of Android.
@briankrebs the XLAB article mentions the X96Q which matches the model on my box (there are different boxes with that model though).
It also mentions that the culprit is in some so files from a particular apk. This means running Armbian should be fine if you have an affected box:
Working images can be found on the forums: https://forum.armbian.com/search/?q=X96Q
I'll check if my box has those apk/so files when I get an opportunity.
Generally the hardware itself should be fine though, wasteful to just bin it.
@briankrebs @jschwart How about not hooking it to the Internet and just using it at a display device? (Honest question.)
@machinaecrire @jschwart If I told you a certain brand of Christmas tree lights could burn your house down, would you then pull out all the lights from the strand and use it as an extension cord?
It could be the other way around: less spying for foreigners? After all, China spies on its own citizens more than anyone else.
Meant to link to my previous reporting on this topic, which briefly touches on some of the challenges w/ the ubiquity and sheer insecurity-by-design of most of these Android TV/movie streaming devices
https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
@briankrebs I switched to Roku...I hope thats good. I haven't heard anything about Roku yet
@MikeImBack @briankrebs Roku reports your usage every few minutes and shows ads, though both can be subverted with DNS blocks.
@briankrebs I think you're reading too much into this one Brian. This is most likely because of the different voltage, the US uses 120v, China uses 240v like Europe.
@briankrebs Feels weird that they write "overseas use only" in English...seems like Mandarin might be a better choice perhaps? 🤣🤷🏼♂️
Bonfire community
This is a bonfire demo instance for testing purposes
Automatic federation enabled