Pierluigi Paganini
January 16, 2023
Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware.
This Android TV box model is available on Amazon and AliExpress for as low as $40.
The device came with Android 10 (with working Play store) and an Allwinner H616 processor. Milisic discovered pre-loaded malware into its firmware.
Milisic purchased the T95 Android TV box to run Pi-hole, which is a Linux network-level advertisement and Internet tracker blocking application.
After running the Pi-hole he noticed that the box was reaching addresses associated with malware campaigns.
“After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using tcpflow and nethogs to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.” the expert wrote on Reddit.
“The final bit of malware I could not track down injects the system_server process and looks to be deeply-baked into the ROM. It’s pretty sophisticated malware, resembling CopyCatin the way it operates. It’s not found by any of the AV products I tried — If anyone can offer guidance on how to find these hooks into system_server please let me know here or via PM.”
The device uses an Android 10 operating system that was signed with test keys. The expert also discovered that it had the Android Debug Bridge (ADB) reachable through the Ethernet port.
The malicious code embedded in the firmware of the device acts like the Android CopyCat malware. The experts pointed out that all the AV products he tested were not able to detect the threat.
Milisic also devised a trick to block the malware using the Pi-hole to change the DNS of the command and control server, YCXRL.COM to 127.0.0.2.
He also created an iptables rule to redirect all DNS to the Pi-hole as the malware/virus/whatever will use external DNS if it can’t resolve.
“By doing this, the C&C server ends up hitting the Pi-hole webserver instead of sending my logins, passwords, and other PII to a Linode in Singapore (currently 139.162.57.135 at time of writing).” continues the expert.
Watch out, the solution proposed by Milisic doesn’t remove the malicious code or disable it, it just neutralizes it interfering with its operations.
In order to determine if s T95 Android TV Box has been infected, the researcher recommends checking the presence of a folder named:
/data/system/Corejava
and a file named
/data/system/shared_prefs/open_preference.xml?
Milisic was not able to test other devices from the same vendor or model to determine if their firmware was infected too.
“Don’t trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys. They are stealing your data and (unless you can watch DNS logs) do so without a trace!” Milisic concludes.
Below are the cleanup instructions provided by the researcher on GitHub:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
