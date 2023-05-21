Cheap Android media boxes and TV sticks might not only struggle to run your favourite video streaming apps but can also leak your sensitive personal information to hackers.

Android TV boxes offer a great way of equipping older TVs with smart capabilities, such as the ability to watch video streaming services.

Nowadays, South Africans will find a myriad of cheap Android TV streaming boxes selling in the R700–R1,000 range, with some even selling below R500.

These are readily available to order from major online platforms — including ecommerce giant Takealot and Bob Shop.

However, many of these devices come pre-installed with software that allows malicious files to be deployed that could steal your data and abuse your Internet connection.

This problem received widespread attention after well-known technology YouTube channel Linus Tech Tips (LTT) highlighted it.

The video’s publication followed Reddit user Daniel Milisic’s (DesktopEcho’s) discovery of a pre-installed backdoor on the Allwinner T95 Android TV box.

LTT founder Linus Sebastian and his team independently tested several cheap Android TV boxes similar to the T95 to see if they featured the same vulnerabilities.

They found that about half of the devices came with a directory dubbed “CoreJava”, into which dangerous payloads could be delivered via suspicious servers communicating with the box.

CoreJava appears to be a relative of the infamous CopyCat Android malware, which previously infected an estimated 14 million devices.

Sebastian explained the malware had “truly terrifying” capabilities, including rooting devices, injecting itself alongside launched apps, and controlling network activity.

That made it capable of numerous nefarious activities, including phishing user details like app logins.

Pirated content first sign of danger

Sebastian said many of these boxes offering cheap or free access to copyrighted movies and TV shows out of the box was a major red flag.

“It’s important to remember that the kinds of folks who are willing to help you circumvent copyright law tend to be the same kind of folks who don’t care about other laws either — like privacy or data collection laws,” Sebastian said.

“Unless you know your way around Android very well and can get a clean image onto your [box], there is nothing to guarantee that it won’t eventually engage in illicit activities on your network or try to steal your Google login.”

Aside from the Allwinner T95, boxes confirmed to be pre-loaded with malware include the RockChip X12 Plus and RockChip X88 Pro 10, both of which were being sold on Amazon.com at the time of writing.

MyBroadband found the latter was also being sold on Takealot — either by its original name or in a rebranded form as one of the “MXQ Pro” devices.

Chipsets that consumers should be sceptical of include the Allwinner H and Rockchip RK series.

In addition to the possibility of exposing yourself to malware, many of the cheap boxes make false claims about their features and specifications.

For example, Sebastian’s team found that one box advertised with 4GB of RAM only had 2GB.

Coupled with outdated or invalid versions of Android, many of these boxes stutter and perform poorly.

Furthermore, Linus Tech Tips discovered that many devices claiming to support 4K could only stream up to full HD.

MyBroadband found several models being sold in South Africa claiming to support 6K or 8K video streaming.

To ensure you don’t buy an Android TV stick or box that does not underperform or comes with pre-installed backdoors for malware, you should check if it’s Google-certified.

Numerous legitimate boxes and sticks available — from R849

Fortunately, the range of Google-certified Android media boxes and TV sticks on the South African market has grown substantially in the past few years.

We easily found over ten models with certification, some of which were cheaper than some non-certified Android TV boxes.

To double-check whether an Android box or stick you are interested in is certified, you can consult Android TV Guide’s extensive list of Google-certified smart TVs and boxes.

If Netflix or Amazon Prime Video are among your favourite streaming services, you might benefit from devices the two companies have also certified.

The list provided by Android TV Guide also indicates if the boxes come with certification from those services.

The list below names 10 Google-certified Android TV boxes you can buy in South Africa, all of which support up to 4K streaming and are Netflix and Amazon Prime Video certified.