A Canadian systems security consultant, Daniel Milisic, recently bought an Android TV box from Amazon. It came with malware. It was in its firmware. Milisic created a script and instructions to help users. It nullifies the payload and stops communicating with the Command and Control (C2) server. The device in question is the T95 Android TV box with an AllWinner T616 processor. It is widely available through Amazon, AliExpress, and other big e-commerce platforms.

Is malware installed on all devices?

It is unclear if this single device had malware or if all devices from this model have malicious components. The T95 streaming device uses an Android 10-based ROM signed with test keys. Also, the Android Debug Bridge (ADB) opens over Ethernet and WiFi. This is a suspicious configuration as ADB is instrumental in connecting to devices. It is for unrestricted filesystem access, command execution, software installation, data modification, and remote control. However, as most consumer streaming devices sit behind a firewall, threat actors cannot connect to ADB remotely.

Milisic initially bought this device to run the Pi-hole DNS sinkhole. Without installing software, it protects devices from unwanted content, advertisements, and malicious sites. While analyzing the DNS request in Pi-hole, Milisic discovered that the device was attempting to connect to several IP addresses. These addresses has link with active malware. He believes the malware installed on the device is a strain that resembles ‘CopyCat’. It is a sophisticated Android malware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign. It infected 14 million Android devices to make its operators over $1,500,000 in profits.

The analyst tested the stage-1 malware sample on VirusTotal. It returns only 13 detections out of 61 AV engine scans. It classified with the generic term of an Android trojan downloader.

“I found layers on top of layers of malware using ‘tcpflow’ and ‘nethogs’ to monitor traffic and traced it back to the offending process/APK, which I then removed from the ROM,” explains Milisic in a GitHub post.

“The final bit of malware I could not track down injects the ‘system_server’ process and looks to be deeply baked into the ROM.”

How to nullify the malware?

The analyst observed that the malware attempted to fetch additional payloads from ‘ycxrl.com,’ ‘cbphe.com,’ and ‘cbpheback.com.’

Because finding a clean ROM to replace the malicious one is just as challenging. Milisic resorted to changing the DNS of the C2 to route the requests via the Pi-hole web server. It makes it possible to block them. Users of T95 are recommended to follow the two simple steps to clean their device and nullify the malware.

1. Reboot into recovery mode or perform “Factory Reset” from the settings menu.

2. Upon reboot, connect to ADB via USB or WiFi-Ethernet and run this script. To confirm the rendered malware is harmless, run “adb logcat | grep Corejava.”

3. Verify that the chmod command failed to execute.

Uncertainty in Electronics Market due to pre-installed malware

However, as these devices are fairly inexpensive on Amazon, it may be wiser to discontinue using them if you can afford to do so. Unfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to global market availability. In many cases, these devices are sold under multiple brands and device names, with no clear indication of where they originate. Furthermore, as the devices commonly flow through many hands, vendors and re-sellers have several opportunities to load custom ROMs on the devices, potentially malicious ones. Even if most e-commerce sites have