At $39.99 with a $3 coupon option for Amazon Prime members, the T95 Android 10.0 TV box might seem like a good value. But when an unsuspecting but cybersecurity-savvy customer ordered one up, he said it came "festooned" with malware — no extra charge.
Daniel Milisic warned consumers in Reddit and GitHub posts that he just happened to have bought the box to run Pi-hole tracker blocking — and that he immediately made a startling discovery. His first clue something was funky with the device's security was that it was signed with Android 10 test keys.
"If test keys weren't enough of a bad omen, I also found ADB wide open over the Ethernet port — right out of the box," Milisic added.
Then he let Pi-hole go to work.
"After running the Pi-hole install I set the box's DNS1 and DNS2 to 127.0.0.1 and got a hell of a surprise,” Milisic wrote. “The box was reaching out to many known, active malware addresses.”
Milisic explained he discovered traffic-monitoring malware, and an additional type of malware he said operates similarly to Android mobile malware CopyCat, but he wasn't able to identify it as a known variant.
To boot, the malicious code is unremovable: Ultimately, Milisic was unable to strip the malware from the device, so it's currently unplugged, he said.
Preinstalled Malware Isn't New
Hardware being sold with preinstalled and often unremovable malware is an ongoing issue for consumers. Researchers at Check Point, for instance, warned consumers back in 2017 that a telecom company was distributing more than 36 different Android devices preloaded with adware.
In 2018 Chinese PC maker Lenovo was ordered to pay millions in a class-action lawsuit over its laptops coming with preinstalled adware, in the well-publicized "Superfish" incident. More recently, in April 2022, security researchers with ESET reported they had found and disclosed firmware-level vulnerabilities in millions of Lenovo consumer laptops that could allow attackers to escalate device privileges and drop malware undetected.
And in July 2020, researchers at Malwarebytes raised the alarm that government-funded Android phones for low-income households came out of the box with preinstalled Chinese malware that was deemed incapable of being removed.
The trend indicates that security teams and end users alike should source their devices using a bit of extra caution, from phones to laptops to TV boxes and more.
"The main take-away here: Don't trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys," Milisic warned. "They are stealing your data and (unless you can watch DNS logs) do so without a trace!"