Android TV Box Sold on Amazon Comes With a Special Treat: Malware – PCMag

An Android TV box sold on Amazon was found to be secretly loaded with malware, according to a Canadian infrastructure and security consultant who purchased the device.

In posts on GitHub(Opens in a new window) and Reddit(Opens in a new window), Daniel Milisic warns about the T95 Android TV Box, which he bought a few months ago on Amazon. The product, which also uses the Allwinner h616 chip, is currently being sold on Amazon and AliExpress, starting at around $40. 

Milisic noticed something was off when the box’s Android 10 OS was signed using test keys and had the Android Debug Bridge open, giving anyone access to it via Ethernet and Wi-Fi. 

A picture of the Android TV box


The T95 Android TV Box Milisic bought.
(Credit: Milisic/Amazon)

He then ran the ad-blocking software Pi-hole over the device, which revealed the various internet domains the TV box was trying to connect to. “That’s how I discovered just how nastily this box is festooned with malware,” Milisic wrote, later adding: “The box was reaching out to many known, active malware addresses.”

Based on his analysis, the malware operates similarly to the CopyCat(Opens in a new window) Android malware, which can hijack a device to install apps and display ads to try and generate revenue for cybercriminals. Milisic also told PCMag he found evidence a separate malware, called Adups, was installed over the device too.

It’s unclear how many T95 Android TV boxes are loaded with the malware. But Milisic’s post contains tips for owners on how to find out if their product is affected. If the TV box contains the folder “/data/system/Corejava” and the file “/data/system/sharedprefs/openpreference.xml,” then the device has been compromised.  

Recommended by Our Editors

His GitHub post goes on to offer a way to partially disable the malware by disrupting its communication path to the hacker-controlled servers. But for non-tech savvy users, the easiest way to address the threat is to pull the plug on the product. In a Reddit post(Opens in a new window), Milisic said that doing a factory reset simply reinstalls the malware on the TV box. 

The incident is a reminder to be careful around buying products from unknown tech brands. Amazon didn’t immediately respond to a request for comment.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Leave a Comment