Cheap Android TV boxes includes malware right out-of-the-box (AllWinner H616)

Stopspying

Level 19
Thread author
Verified
Top Poster
Well-known
Jan 21, 2018
814
A few months ago I purchased a T95 Android TV box; it came with Android 10 (with working Play store) and an Allwinner H616 processor. It's a small-ish black box with a blue swirly graphic on top and a digital clock on the front. There's got to be thousands (or more!) of these boxes already in use globally.

There are tons of them available for purchase on Amazon and AliExpress.

This device's ROM turned out to be very very sketchy -- Android 10 is signed with test keys, and named "Walleye" after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If test keys weren't enough of a bad omen, I also found ADB wide open over the Ethernet port - right out-of-the-box.

I purchased the device to run Pi-hole among other things, and that's how I discovered just how nastily this box is festooned with malware. After running the Pi-hole install I set the box's DNS1 and DNS2 to 127.0.0.1 and got a hell of a surprise. The box was reaching out to many known, active malware addresses.

After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using tcpflow and nethogs to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.

The final bit of malware I could not track down injects the system_server process and looks to be deeply-baked into the ROM. It's pretty sophisticated malware, resembling CopyCat in the way it operates. It's not found by any of the AV products I tried -- If anyone can offer guidance on how to find these hooks into system_server please let me know here or via PM.

The closest I could come to neutralizing the malaware was to use Pi-hole to change the DNS of the command and control server, YCXRL.COM to 127.0.0.2. You can then monitor activity with netstat: ...

There is more about this on this guy's reddit post. I was reading posts on a 'consumer best deals' website earlier this week in a thread discussing the pros and cons of buying 'branded' goods or cheaper 'copies', the latter being mostly relatively unknown Chinese brands. I was supposedly looking for monitor deals. I was appalled to read the number of posts saying its OK to get the cheaper 'copies' - 'I've never had a problem....blahblahblah'. How do they know that is the case? It seemed like a boasting competition to see who had got the cheapest deal. But at what price to privacy etc. It was like reading a fake news site, I have no data to say that all of the 'copies' are full of malware, but as with many cheap/free things, you pay in one way or another for them. I saw posts saying things like 'there are many positive reviews, so they must be OK', ignoring the possibility that these could be fake, fake reviews are rampant on parts of the internet. Its really sad IMO.

 

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,243
I'm not surprised, unfortunately.
There is also that with cheap smartphones bought on Chinese marketplaces that contained Trojans like Triada or XHelper...
You have to know that when you buy cheap Android boxes or something else, the ROM developers will not bother and will make a "return on investment" by installing a Trojan...
Especially since most people will never know that their device is infected from the factory!

Personally, I have an Android box at home, but I'll never take products I don't know.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
  • Google responds to reports of insecure Android TV boxes sold online.
  • The search engine giant warns that some of these devices may include Google apps that are not Play Protect certified.
  • Google offers a simple method for determining whether your set-top box is secure.
Google has finally addressed reports of malware-laden Android TV boxes being sold online, saying some of these devices may include apps not licensed by Google.

Earlier this year, Daniel Milisic, a Canadian security consultant, found that an Android TV box he purchased from Amazon was laced with malware designed to generate revenue by clicking on ads in the background (via Bleeping Computer). For the average user, this clandestine activity won't be easy to figure out.

The device in question was the AllWinner T95, which boasts four-out-of-five-star ratings and numerous positive reviews (via TechCrunch).
Aside from the above-mentioned Android TV box, Electronic Frontier Foundation researcher Bill Budington separately mentioned other models that do the same fraudulent activity, such as the AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
BadBox, PeachPit, Triada Malware -- all found in cheap Android TV boxes for streaming copyrighted live TV, movies and sport content.

Read Report (PDF): https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf

This is according to a new report from cybersecurity experts Human Security which claims that seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W, are all being shipped with Badbox, a downloader based on the Triada malware.

When the victim buys the device and turns it on, Badbox activates, reaches out to its command & control (C2) server, and then pulls whatever stage-two malware it is told to download.

The total number of victims is hard to determine, the researchers said, but they identified at least 74,000 Android mobile phones, tablets, and connected TV boxes that are infected.
“This is a truly distributed way of doing fraud," Human Security's CISO, Gavin Reid, told Wired. The police have been briefed on the findings, he added. There’s no word on the identity of the attackers, however Human Security said there are hackers out there offering advertising fraud, fake Gmail and WhatsApp accounts, and remote code installation. These threat actors are also offering access to residential networks, for a price. They claim to have “millions of mobile IP addresses” to work with. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid told the publication.

This is not the first time researchers have sounded the alarm on these TV boxes, as cybersecurity researcher Daniel Milisic was warning consumers about T95 and other models months ago.
Story via Cheap Android TV boxes shipped with "unkillable" malware - here's what you need to know
 
  • +Reputation
Reactions: Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top