Outrageous Android TV device 'T95' with malware installed from the beginning is on sale at Amazon and AliExpress

A report has been raised on GitHub that malware was pre-installed in the

set-top box ' T95 ' equipped with Android TV, which is also sold by Amazon and AliExpress. The identity of the malware is said to be similar to ' CopyCat ', which spread infection to Android devices.

GitHub - DesktopECHO/T95-H616-Malware: 'Pre-Owned' malware in ROM on T95 Android TV Box (AllWinner H616)

The set-top box in question is also sold on Amazon.com and can be purchased for $ 32.99 (about 4300 yen) at the time of article creation. Equipped with Android 10.0, SoC is Allwinner H616 , CPU is Cortex-A5, GPU is Mali-G31, 3RAM is 2GB, storage is 16GB, and 6K Ultra HD is supported.

Also, T95 was handled by AliExpress. The price is around 4500 yen.

DesktopECHO , who created the report page, said that he purchased T95 to test Pi-hole , a tool for Android developed by himself. However, it seems that the contents of this T95 turned out to be very rough. Android 10 was signed with a test key and was named 'Wallye' after Google Pixel 2. Additionally, the Android Debug Bridge , a versatile command-line tool for communicating with devices, was found to be widely open over Ethernet and Wi-Fi.

So, when I actually installed Pi-hole on T95 and set DNS to, it turned out that T95 was accessing the active malware address.

Mr. DesktopECHO tried to remove the malware and said that he deleted the suspicious behavior while tracking the process. It seems that many malware could be deleted, but one could not be deleted because it was embedded deep in the storage. It seems that this malware that could not be deleted was similar in behavior to the already reported 'CopyCat'.

As a result, DesktopECHO seems to have been able to monitor the malware activity and almost neutralize it by changing the DNS of the C2 server that the malware in T95 communicates to

DesktopECHO said, ``The T95 is infected with malware and is ready to do what the C2 server decides.Yes, the malware comes directly from Amazon.If you sell such a device For example, we need to add a 'contains malware' category to the Android TV section.' We have released the source code of the script to disable the malware on the T95.

T95-H616-Malware/T95-H616-Cleanup.sh at main DesktopECHO/T95-H616-Malware GitHub

in Security, Posted by log1i_yk