Android TV Box sold on Amazon contains malware


The box is available on Amazon and AliExpress for as low as $40.

The affected device was a T95 Android TV box that came with sophisticated, persistent and pre-installed malware embedded in its firmware.

A Canadian infrastructure and security systems consultant, Daniel Milisic, discovered malware on an Android TV Box (Android-10-based TV box in this case) that he purchased from Amazon. Milisic has now created a script and guide to help users cancel the payload and prevent it from communicating with the C2 server.

Results Details

The box came with sophisticated, persistent and preloaded malware integrated into its firmware. The affected device was an Android T95 TV box with an AllWinner T616 processor. This device is available on all major e-commerce platforms, including Amazon and AliExpress, for as low as $40.

Android TV Box sold on Amazon contains malware
An Android T95 TV box sold on Amazon

Milisic posted on the matter on GitHub and Reddit, explaining that the device, which uses the Allwinner h616 chip, had its Android 10 operating system signed with test keys and had the Android Debug Bridge (ADB) open. Thus, any user could access it via WiFi and Ethernet.

Milisic intended to run the Pi-hole DNS sinkhole, ad-blocking software that protects devices from unwanted ads, unwanted content, and malicious sites. However, after analyzing the DNS request, the software highlighted different IP addresses to which the box tried to connect.

As a result, the box reached many “addresses of active and unknown malware”, he wrote. He did not specify whether multiple devices of the same make or model were affected.

Malware scan

The malicious operation was similar to the CopyCat Android Malware which hijacks devices to install apps and display advertisements to generate revenue for threat actors. Milisic found another malware installed on the device, identified as Addups. The researcher scanned the Level 1 malware sample on VirusTotal, which returned thirteen detections out of sixty-one AV engine scans.

Further evaluation revealed multiple layers of malware using nethogs and tcoflow to monitor traffic. It then traced it back to the offending process/APK. He removed it from the ROM.

“The last piece of malware that I couldn’t locate injects the ‘system_server’ process and appears to be deep in ROM,” Milisic explained.

The malware also attempted to fetch additional payloads from ‘ycxrl.com’, ‘cbphe.com’ and ‘cbpheback.com’.

How to stay protected?

Milisic recommends users to check if their box is infected by checking if the device contains the “/data/system/Corejava” folders and the “/data/system/sharedprefs/openpreference.xml” file. If so, the box is compromised.

In its GitHub post, Milisic explained that the easiest way to partially disable malware is to pull the plug to disrupt the malware’s communication path to attacker-controlled servers. In his Reddit post, Milisic wrote that a factory reset would not help as it would reinstall the malware on the box again.

  1. Malware Targeting IoT and Android TV Devices Worldwide
  2. Monero Mining Malware Infecting Android TVs and Smartphones
  3. Hacked Android phones imitated TV products for fake ad views
  4. Amazon Fire TV and Fire TV Stick Hit by Crypto-Mining Android Malware