Amazon’s Android TV Box came pre-installed infected with malware

An expert in Canadian security systems discovered that an Android TV Box purchased through Amazon had been preloaded with sophisticated, persistent malware.

Daniel Milisic discovered the malware and created instructions and a script to assist users in nullifying the payload, and stopping it from communicating with C2 (command-and control) servers.

This is the T95 Android TV Box with an AllWinner T616 CPU, .

The malicious component may have been present in all of the devices affected by this brand or model, but it is not clear if only one device has been affected.

Watch out for malware on your TV streaming box

T95 uses Android 10 based ROM with test keys. The ADB (Android Debug Bridge), which is open over Ethernet or WiFi, can also be used.

It is suspicious because ADB could be used to access devices unrestricted for filesystem access, command execution and software installation.

Threat actors won’t be able to access ADB remotely because most streaming devices are behind firewalls.

Milisic claims that he originally bought the device in order to use the which protects users from malicious content and advertisements.

Milisic found that the DNS request was being sent to Pi-hole. This meant the device tried to connect to multiple IP addresses linked to active malware.

Milisic suspects that the malware on the device looks similar to ‘CopyCat’, a highly sophisticated Android malware . The malware has been previously detected in an adware attack that infected 14,000,000 Android phones to earn its owners over $1,500,000.

An analyst ran a test on the stage-1 malware sample using . It returned only 13 detections from 61 scans by AV engines. The analysis was classified as an Android trojan downloadinger.

In a , the analyst explains that he found layers over layers of malware and used ‘tcpflows’ and nethogs to track traffic. He then traced the problem back to the APK/offending process.

“The last bit of malware that I was unable to find injects the system_server process. It looks like it is deeply embedded in the ROM.”

An analyst discovered that malware was attempting to steal additional payloads via ‘ycxrl.com’, ‘cbphe.com’, and ‘cbpheback.com.

Milisic used the same difficulty in finding the clean ROM that would replace the malign. He changed the DNS on the C2 so the requests were routed via the Pi hole web server. This made it possible to stop them.

T95 users are advised to take these simple steps in order to wipe their devices and eliminate any malware.

1. Reboot in recovery mode, or use the “Factory Reset” option from the settings menu.
2. After rebooting, connect via USB or WiFi Ethernet to ADB and .

grep Corejava” and verify that the chmod command failed to execute.

These devices can be quite expensive on Amazon so it might make sense to stop using them.

An ambiguous electronics market

These Android-based, inexpensive TV boxes devices are not available in all markets. They have to be manufactured in China.

These devices may be sold as multiple brands or device names with little to no indication about where they came from.

Additionally, because the devices are often used by many people, sellers and re-sellers can load customized ROMs onto the devices. This could lead to malicious code being installed.

Even though most sites sell devices with malware preloaded, it is virtually impossible to enforce these policies by inspecting all electronic items and verifying that they are free from sophisticated malware.

You can avoid these risks by choosing streaming devices from trusted vendors such as Google Chromecast and Roku Stick.

BleepingComputer tried to reach the seller listed on Amazon, but couldn’t find any email addresses or websites.

Update 1-13 Daniel Milisic shared additional information with BleepingComputer about the malware discovered, resulting in minor changes to the article.