- Jan 21, 2018
- Content source
- Malware-infested Android TV boxes are still being sold online.
A few months ago I purchased a T95 Android TV box; it came with Android 10 (with working Play store) and an Allwinner H616 processor. It's a small-ish black box with a blue swirly graphic on top and a digital clock on the front. There's got to be thousands (or more!) of these boxes already in use globally.
There are tons of them available for purchase on Amazon and AliExpress.
This device's ROM turned out to be very very sketchy -- Android 10 is signed with test keys, and named "Walleye" after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If test keys weren't enough of a bad omen, I also found ADB wide open over the Ethernet port - right out-of-the-box.
I purchased the device to run Pi-hole among other things, and that's how I discovered just how nastily this box is festooned with malware. After running the Pi-hole install I set the box's DNS1 and DNS2 to 127.0.0.1 and got a hell of a surprise. The box was reaching out to many known, active malware addresses.
After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using
nethogsto monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.
The final bit of malware I could not track down injects the
system_serverprocess and looks to be deeply-baked into the ROM. It's pretty sophisticated malware, resembling CopyCat in the way it operates. It's not found by any of the AV products I tried -- If anyone can offer guidance on how to find these hooks into
system_serverplease let me know here or via PM.
The closest I could come to neutralizing the malaware was to use Pi-hole to change the DNS of the command and control server, YCXRL.COM to 127.0.0.2. You can then monitor activity with netstat: ...
There is more about this on this guy's reddit post. I was reading posts on a 'consumer best deals' website earlier this week in a thread discussing the pros and cons of buying 'branded' goods or cheaper 'copies', the latter being mostly relatively unknown Chinese brands. I was supposedly looking for monitor deals. I was appalled to read the number of posts saying its OK to get the cheaper 'copies' - 'I've never had a problem....blahblahblah'. How do they know that is the case? It seemed like a boasting competition to see who had got the cheapest deal. But at what price to privacy etc. It was like reading a fake news site, I have no data to say that all of the 'copies' are full of malware, but as with many cheap/free things, you pay in one way or another for them. I saw posts saying things like 'there are many positive reviews, so they must be OK', ignoring the possibility that these could be fake, fake reviews are rampant on parts of the internet. Its really sad IMO.