Share this article on:
If you’ve bought yourself a cheap TV streaming box from Amazon recently, you may have inadvertently bought yourself a shiny, new piece of malware without even knowing it! A Canadian sysadmin and researcher recently discovered his T95 Android TV box came with a little more than he expected.
The device — which is freely available on AliExpress as well as Amazon — seems fine on the surface, but dig a little deeper and things get a bit sketchy.
The T95 runs Android 10, but the ROM in question is signed with test keys and the Android Debug Bridge is — in the words of Daniel Milisic of IT outfit DesktopECHO — “wide open over Ethernet and wi-fi — right out-of-the-box”.
Milisic ran the Pi-hole OS on the device and this uncovered a whole new realm of issues. After making some DNS changes, he found that the box was actively making contact with a host of well-used malware sites.
After failing to find a ROM that was suitably clean, Milisic tried removing the malware.
“I found layers on top of layers of malware using tcpflow and nethogs to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM,” Milisic says on a GitHub post detailing his experience.
Unfortunately, the final piece of the malware puzzle proved to be “deeply-baked into the ROM”. It operated like a version of the CopyCat malware, and it consistently injected itself into the sytemserver process.
Milisic was, however, able to get around the malware by changing the DNS of the command and control server it was reporting to.
There’s a full guide to getting around the device’s malware on the GitHub page, and Milisic is very keen to see if anyone else has a solution to removing the final bit of malicious code.
“Hopefully, a method can be found to completely disable the malware, for the time being this is as close as it gets,” he says.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.