The box is available on Amazon and AliExpress for as low as $40.
The affected device was a T95 Android TV box that came with sophisticated, persistent, and pre-installed malware embedded in its firmware.
A Canadian infrastructure and security systems consultant, Daniel Milisic, discovered malware on an Android TV Box (Android-10-based TV box in this case) he purchased on Amazon. Milisic has now created a script and guide to help users annul the payload and prevent it from communicating with the C2 server.
The box came with sophisticated, persistent and pre-loaded malware embedded into its firmware. The affected device was a T95 Android TV box with an AllWinner T616 processor. This device is available on all leading e-commerce platforms, including Amazon and AliExpress, for as low as $40.
Milisic posted about the issue on GitHub and Reddit, explaining that the device, which uses the Allwinner h616 chip, had its Android 10 OS signed with test keys and had the Android Debug Bridge (ADB) open. So, any user could access it through WiFi and Ethernet.
Milisic intended to run the Pi-hole DNS sinkhole, an ad-blocking software that protects devices from undesired ads, unwanted content, and malicious sites. However, upon analyzing the DNS request, the software highlighted different IP addresses that the box tried to connect to.
As a result, the box reached out to many “unknown, active malware addresses,” he wrote. He didn’t clarify whether multiple devices from the same brand or model were affected.
The malware operation was similar to the CopyCat Android malware that hijacks devices to install apps and display ads to earn revenue for the threat actors. Milisic found another malware installed on the device, identified as Adups. The researcher scanned the stage-1 malware sample on VirusTotal, which returned thirteen detections out of sixty-one AV engine scans.
Further assessment revealed multiple layers of malware using nethogs and tcoflow to monitor traffic. He then traced it back to the offending process/APK. He removed it from the ROM.
“The final bit of malware I could not track down injects the ‘system_server’ process and looks to be deeply baked into the ROM,” Milisic explained.
The malware also tried to fetch additional payloads from ‘ycxrl.com,’ ‘cbphe.com,’ and ‘cbpheback.com.’
How to Stay Protected?
Milisic recommends that users check if their box is infected by finding out if the device contains “/data/system/Corejava” and the file “/data/system/sharedprefs/openpreference.xml” folders. If it does, the box is compromised.
In his GitHub post, Milisic explained that the easiest way to disable the malware partially is by pulling out the plug to disrupt the malware communication path to attacker-controlled servers. In his Reddit post, Milisic wrote that a factory reset would not help as it will reinstall the malware again on the box.