Inexpensive Android-based streaming boxes marketed with access to hundreds of channels often require replacement of the official Google Play Store with an unofficial app marketplace to install the software that enables “free” streaming. This modification bypasses Google’s certification and security ecosystem, exposing the device to intrusive applications that can conscript the owner’s network connection into relaying internet traffic for other parties. Security analysis found that some of these devices routinely contact third-party servers and proxy services, indicating their use in broader internet abuse such as advertising fraud or account takeover operations facilitated by unauthorized network forwarding.

The underlying issue is not the hardware itself but the software ecosystem that ships with it: many devices are preconfigured or encouraged to install apps that embed backdoors and network tools. Once compromised, the connections and compute resources of these otherwise consumer devices can be repurposed without the user’s awareness to support botnet infrastructure, proxy networks, or other malicious services. This reflects a broader trend of malware ecosystems leveraging poorly secured, popular Android-based devices outside official vendor support channels, turning everyday gadgets into unwitting participants in cybercrime activities.

‍

Source: https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/