Canadian sysadmin Daniel Milisic discovered that the firmware of the T95 Android set-top box he bought on Amazon was infected with complex malware right out of the box.
Let me remind you that we also talked that The Google Play Store Again Found a Malware Installed More Than a Million Times, and also that Iranian RatMilad Spyware Attacks Android Users.
And also, you may need the instruction: How to Delete Amazon account.
The malware was found in the firmware of the T95 set-top box with the AllWinner H616 processor, which is sold on Amazon, AliExpress and other major marketplaces in different countries. Such consoles go through a completely obscure path from production in China to the shelves of virtual stores. In many cases, devices are sold under different brands and names, and there is simply no clear indication of their origin.
In addition, since such devices usually go through many hands, vendors and resellers have many options for loading custom ROMs on them, including potentially malicious ones.
The researcher says that the T95 device he studied used an Android 10-based ROM signed with test keys and ADB (Android Debug Bridge) opened over Ethernet and Wi-Fi.
This configuration can already be alarming, since ADB can be used to connect to devices, have unlimited access to the file system, execute commands, install software, change data, and remotely control the device. However, since most consumer devices are protected by a firewall, attackers are unlikely to be able to remotely connect to them via ADB.
Milisic writes that he originally purchased the device to run Pi-hole DNS-sinkhole on it, which protects devices from inappropriate content, ads and malicious sites without installing additional software. However, after analyzing DNS queries in Pi-hole, the researcher noticed that the device was trying to connect to several IP addresses associated with active malware.
Milisic believes that the malware installed on the device is a sophisticated CopyCat Android malware, first discovered by experts from Check Point in 2017. Even then, analysts believed that the malware infected more than 14 million devices worldwide, gained root access to 8 million of them, and in just two months brought its authors about $1.5 million.
It turned out that the malware was trying to get additional payloads from ycxrl[.]com, cbphe[.]com, and cbpheback[.]com. Since creating a clean firmware to replace the malware proved difficult, Milishic decided to change the DNS C&C to route requests through the Pi-hole web server and block them.
The researcher writes that he does not know if many Android consoles of this model on Amazon are infected with malware, nor does he know exactly how this happened, but he recommends that all T95 users follow two simple steps to accurately clean their device and neutralize malware. which can work on it:
- reboot the device in recovery mode or perform a factory reset through the menu;
- after reboot, connect to ADB via USB or WiFi-Ethernet and run the script it created.
To make sure that the malware is neutralized, you should run adb logcat | grep Corejava
and verify that the chmod
command failed.
Given that such devices are very inexpensive, the researcher notes that it may be more reasonable to stop using them altogether.