A Canadian system administrator discovered that an Android TV box purchased from Amazon was preloaded with persistent and sophisticated malware embedded in its firmware.

The malware was discovered by Daniel Milisic, who created a script and instructions to help users cancel the payload and stop its communication with the C2 server (command and control).

The device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through AmazonAliExpress and other major e-commerce platforms.

It is not clear if only this device was affected or if all devices of this model or brand include the malicious component.

Malware on the TV streaming box

The T95 streaming device uses a signed Android 10 based ROM with test keys and the open ADB (Android Debug Bridge) over Ethernet and WiFi.

This is a suspicious setup because ADB can be used to connect to devices for unrestricted file system access, command execution, software installation, data modification and remote control .

However, since most consumer streaming devices are behind a firewall, hackers are unlikely to be able to connect to ADB remotely.

Milisic says he first bought this device to operate the Sinkhole DNS Pi-holewhich protects devices from unwanted content, ads and malicious sites without installing any software.

While analyzing the DNS query in Pi-hole, Milisic discovered that the device was attempting to connect to multiple IP addresses associated with active malware.

Milisic believes that the malware installed on the device is “CopyCat”, a sophisticated Android malware first discovered by Check Point in 2017. This malware was once seen in an adware campaign where it infected 14 million Android devices to earn its operators over $1,500,000 in profit.

“I found layers on top of layers of malware using ‘tcpflow’ and ‘nethogs’ to monitor traffic and trace it back to the offending process/APK, which I then removed from ROM “, explains the analyst in a GitHub post.

“The last piece of malware that I could not locate injects the ‘system_server’ process and appears to be deeply embedded in ROM.”

The analyst observed that the malware attempted to fetch additional payloads from “ycxrl.com”, “cbphe.com”, and “cbpheback.com”.

Because finding a clean ROM to replace the malicious ones is just as difficult, Milisic resorted to changing the C2’s DNS to route requests through the Pi-hole web server, allowing them to be blocked.

T95 users are recommended to follow these two simple steps to clean their device and undo the malware running on it:

1. Reboot in recovery mode or perform “factory reset” in the settings menu.
2. On restart, connect to ADB via USB or WiFi-Ethernet and run this script.

To confirm that the malware has been rendered harmless, run “adb logcat | grep Corejava” and check that the chmod the command could not be executed.

However, since these devices are quite cheap on Amazon, it may be wiser to stop using them if you can afford it.

An ambiguous electronic market

Unfortunately, these inexpensive, Android-based TV boxes follow an obscure route from manufacturing in China to becoming available in the global market.

In many cases, these devices are sold under multiple brands and device names, with no clear indication of their origin.

Additionally, since devices typically pass through many hands, vendors and resellers have several opportunities to load potentially malicious custom ROMs onto devices.

Even though most e-commerce sites have policies to prevent the sale of devices preloaded with malware, it is nearly impossible to enforce these rules by examining all electronic devices and confirming that they are free of software. sophisticated malware.

To avoid such risks, you can choose streaming devices from reputable providers like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

BleepingComputer attempted to contact the seller listed on Amazon but found no website or email address associated with the brand.