A Canadian system administrator discovered that an Android TV box, namely the T95 Android TV box, purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware.
The buyer initially bought the device to run the Pi-hole DNS sinkhole, which protects devices from unwanted content, advertisements, and malicious sites without installing software, but, instead, he discovered that the device was attempting to connect to several IP addresses associated with active malware.
He said that the malware installed on the device is ‘CopyCat’, a sophisticated Android malware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign where it infected 14 million Android devices to make its operators over $1,500,000 in profits.
The T95 streaming device uses an Android 10-based ROM signed with test keys and the ADB (Android Debug Bridge) open over Ethernet and WiFi. This is a suspicious configuration as ADB can be used to connect to devices for unrestricted filesystem access, command execution, software installation, data modification, and remote control.
T95 users are recommended to follow these simple steps to clean their device and nullify the malware that runs on it:
1. Reboot into recovery mode or perform “Factory Reset” from the settings menu.
2. Upon reboot, connect to ADB via USB or WiFi-Ethernet and run this script.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.