Google said Android-branded streaming devices sold through popular e-tail channels including Amazon, and loaded with adware out of the box are powered by Android Open Source Project software and not Android TV.
"We have recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices," Google said in a blog posted late last week.
"Some of them may also come with Google apps and the Play Store that are not licensed by Google, which means that these devices are not Play Protect certified," Google added. "To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified."
The devices in question, marketed under brand names like T95Max, RockChip X12 Plus and RockChip X88 Pro 10, are based on system-on-a-chip hardware from AllWinner and RockChip.
On Amazon, the T95 is listed as a "Android 10.0 TV Box. Nowhere is a distinction made between "Android Open Source Project" and "Android TV."
Ontario, Canada-based IT pro Daniel Milisic published last year on GitHub his experience with a T95, which has a four-star rating on Amazon amid 744 reviews.
Milisic said the device began connecting out of the box with a botnet network of thousands of other infected Android TV gadgets around the world. The device, he said, immediately sought out a command and control server, which downloaded additional malware to his gadget.
The malware enabled the T95 to begin conducting ad-click fraud, clicking on ads in the background.
In his GitHub post, Milisic published the script he used to "defang" what he described as a "no good, awful, nasty little ARM-powered TV/hobby box."
Milisic's findings were confirmed by Electronic Frontiers Foundation security researcher Bill Budington in this report.