Amazon Sells Android Consoles with Built-in Malware

Android consoles with malware
Written by William Reddy

Canadian sysadmin Daniel Milisic discovered that the firmware of the T95 Android set-top box he bought on Amazon was infected with complex malware right out of the box.

Let me remind you that we also talked that The Google Play Store Again Found a Malware Installed More Than a Million Times, and also that Iranian RatMilad Spyware Attacks Android Users.

And also, you may need the instruction: How to Delete Amazon account.

The malware was found in the firmware of the T95 set-top box with the AllWinner H616 processor, which is sold on Amazon, AliExpress and other major marketplaces in different countries. Such consoles go through a completely obscure path from production in China to the shelves of virtual stores. In many cases, devices are sold under different brands and names, and there is simply no clear indication of their origin.

In addition, since such devices usually go through many hands, vendors and resellers have many options for loading custom ROMs on them, including potentially malicious ones.

The researcher says that the T95 device he studied used an Android 10-based ROM signed with test keys and ADB (Android Debug Bridge) opened over Ethernet and Wi-Fi.

This configuration can already be alarming, since ADB can be used to connect to devices, have unlimited access to the file system, execute commands, install software, change data, and remotely control the device. However, since most consumer devices are protected by a firewall, attackers are unlikely to be able to remotely connect to them via ADB.

Milisic writes that he originally purchased the device to run Pi-hole DNS-sinkhole on it, which protects devices from inappropriate content, ads and malicious sites without installing additional software. However, after analyzing DNS queries in Pi-hole, the researcher noticed that the device was trying to connect to several IP addresses associated with active malware.

Android consoles with malware

Milisic believes that the malware installed on the device is a sophisticated CopyCat Android malware, first discovered by experts from Check Point in 2017. Even then, analysts believed that the malware infected more than 14 million devices worldwide, gained root access to 8 million of them, and in just two months brought its authors about $1.5 million.

I discovered layers on top of the malware using tcpflow and nethogs to monitor traffic and traced the malware to the offending process/APK, which I then removed from ROM. But the last piece of malware that I haven’t been able to track down is injecting the system_server process and seems to be deeply integrated into the ROM.the researcher explains.

It turned out that the malware was trying to get additional payloads from ycxrl[.]com, cbphe[.]com, and cbpheback[.]com. Since creating a clean firmware to replace the malware proved difficult, Milishic decided to change the DNS C&C to route requests through the Pi-hole web server and block them.

The researcher writes that he does not know if many Android consoles of this model on Amazon are infected with malware, nor does he know exactly how this happened, but he recommends that all T95 users follow two simple steps to accurately clean their device and neutralize malware. which can work on it:

  1. reboot the device in recovery mode or perform a factory reset through the menu;
  2. after reboot, connect to ADB via USB or WiFi-Ethernet and run the script it created.

To make sure that the malware is neutralized, you should run adb logcat | grep Corejava and verify that the chmod command failed.

Given that such devices are very inexpensive, the researcher notes that it may be more reasonable to stop using them altogether.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment