If you enjoy streaming on your Android TV box, the device may be planted with malware that can commit ad fraud, create fake accounts, or sell access to your home network.

According to a new report this week, cybersecurity firm Human Security found evidence that several models of Android TV boxes, and at least one tablet, have dangerous firmware backdoors that are hard to detect and even harder to remove, right out of the box. They have found evidence of infection. Human Security has confirmed that at least 74,000 Android phones, tablets, and connected TV boxes worldwide are showing signs of infection; according to a report published by Wired, researchers have identified at least 200 different models of Android devices found signs that they may have been affected. [seven TV boxes - the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G - and the J5-W tablet. Gavin Reed, CISO of Human Security, said in an interview with Wired, "This is a truly distributed fraud approach." He added that law enforcement has already received all the details collected about the facility where the devices may have been manufactured.

The modus operandi is this. The devices are manufactured in China, and at some point in the commercial supply chain, before being delivered to resellers or stores, a malware-based firmware backdoor is installed. This backdoor is built upon the Triada malware. This malware is a "downloader" and its primary purpose is to establish a backdoor to download and install other malicious programs; these backdoors, called Badbox infections, are associated with a worldwide network of fraud and cybercrime.

"Unbeknownst to the user, when they plug this in, it goes to Chinese Command and Control (C2), downloads an instruction set, and starts doing a bunch of bad things," Reed told the outlet.

Hackers then use this access to the compromised device to run multiple types of scams, including ad fraud, creating fake Gmail and WhatsApp accounts, and installing remote code, the Human Security report explained. The group behind the scheme commercially sells access to residential networks, claiming to have access to millions of mobile IP addresses.

Cybersecurity firms report that BadBox operators are taking down command-and-control servers, ostensibly to adapt and evade defensive measures amid heightened scrutiny. Because the malware resides in the firmware partition, it is very difficult to remove without technical know-how.

"You can think of these badboxes as a kind of sleeper cell; the badbox just sits there waiting for a set of instructions," Reid told Wired. He advised those looking to buy a new TV streaming box to choose a brand they are familiar with when purchasing a new product and to stick with devices from trusted manufacturers.

In a statement to Tom's Guide, a Google spokesperson offered further insight into the situation, stating: The off-brand devices found to be infected with BADBOX were not Play Protect certified Android devices; devices that are not Play Protect certified have not been tested by Google for security and compatibility. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To verify if your device is built on the Android TV OS and Play Protect certified, our Android TV website provides an up-to-date list of partners. You can also check to see if your device is Play Protect certified by following these steps."