{
	"id": "0ee8b9a9-8214-4ee0-9dbf-3d145e06a96c",
	"created_at": "2026-04-06T00:15:50.838866Z",
	"updated_at": "2026-04-10T03:21:08.095583Z",
	"deleted_at": null,
	"sha1_hash": "90cae1dd94e2f5dd0c13d219ea528f58e3b8abd7",
	"title": "Owner of an Android TV box? May want to check if it's an active botnet member...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 225401,
	"plain_text": "Owner of an Android TV box? May want to check if it's an active\r\nbotnet member...\r\nBy DesktopECHO\r\nPublished: 2022-11-16 · Archived: 2026-04-05 20:44:51 UTC\r\nThread starter DesktopECHO\r\nStart date Nov 16, 2022\r\n#1\r\nI installed Pi-hole on my Android device and pointed DNS at 127.0.0.1\r\nSaw a bunch of funky domains in the query log and blocked them.\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 1 of 10\n\nBut what was causing it?\r\nroot@walleye:~# tcpflow -p -c -i wlan0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'\r\nreportfilename: ./report.xml\r\ntcpflow: listening on wlan0\r\nGET /logs/log.info?package=com.swe.dgbluancher\u0026osv=10\u0026gaid=ff9300dd-f771-40ff-84d7-42184fc40d95\u0026get_ip_info=ff93\r\nHost: 128.199.97.77\r\nGET /logs/log.active?package=com.swe.dgbluancher\u0026osv=10\u0026gaid=ff9300dd-f771-40ff-84d7-42184fc40d95\u0026model=MBOX\u0026mak\r\nHost: 128.199.97.77\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 2 of 10\n\nGET /logs/log.info?package=com.swe.dgbluancher\u0026osv=10\u0026gaid=ff9300dd-f771-40ff-84d7-42184fc40d95\u0026get_ip_info=ff93\r\nHost: 128.199.97.77\r\nGET /?timestamp=1668566687503\u0026version=1\u0026biz=10016\u0026os=2\u0026id=3e2dfd4c426e38721ac0bcc09612aa96\u0026sign=d59dab2813001575\r\nHost: www.forfor123.com\r\nGET /get_endpoint?timestamp=1668566687493\u0026version=1\u0026biz=10016\u0026os=2\u0026id=3e2dfd4c426e38721ac0bcc09612aa96\u0026sign=135d\r\nHost: qweqwe135.top\r\nPOST /u.php?id=30018\u0026m=cTUJPWA\u0026s=d1,u3\u0026p=cY29tLnN3ZS5kZ2JsdWFuY2hlcg\u0026aid=df53b410ca1fd8a6\u0026am=2 HTTP/1.0\r\nHost: v.sustat.com\r\nGET /stg?channel=hzsdk_05\u0026sdk=js_club HTTP/1.1\r\nHost: sdk2.appclicking.com\r\nGET /logs/log.info?package=com.swe.dgbluancher\u0026osv=10\u0026gaid=ff9300dd-f771-40ff-84d7-42184fc40d95\u0026get_ip_info=ff93\r\nHost: 128.199.97.77\r\nGET /logs/log.info?package=com.swe.dgbluancher\u0026osv=10\u0026gaid=ff9300dd-f771-40ff-84d7-42184fc40d95\u0026get_ip_info=ff93\r\nHost: 128.199.97.77\r\nGET /d/bcc/v2/o/ffeca781ecfd6067e5e56b04d67edc7e HTTP/1.1\r\nHost: dct.g1ee.com\r\nD\r\nDeleted member 11959327\r\nGuest\r\n#3\r\nIs your device roughly the same as this?\r\nhttps://www.amazon.com/gp/product/B08CRV62C4\r\nI have that one. It still has the shipped build. I haven't had it hooked up much because it is kind of a piece of crap.\r\nI'll check and see what it has.\r\nThis might be kind of a good argument to use certified builds on certified devices. But the amount of data\r\ncollection done by those would make your head spin. And it is all outsourced to the factory. Servers to sdmc, sei,\r\nskyworth, and the like. Sdmc even advertises these features as \"big data\" features.\r\n#4\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 3 of 10\n\nIs your device roughly the same as this?\r\nhttps://www.amazon.com/gp/product/B08CRV62C4\r\nI have that one. It still has the shipped build. I haven't had it hooked up much because it is kind of a\r\npiece of crap. I'll check and see what it has.\r\nThis might be kind of a good argument to use certified builds on certified devices. But the amount of\r\ndata collection done by those would make your head spin. And it is all outsourced to the factory.\r\nServers to sdmc, sei, skyworth, and the like. Sdmc even advertises these features as \"big data\" features.\r\nThat’s the one! I’m about to pull the trigger on a second one to see how deep the rot goes. If this is how they come\r\nfrom Amazon it’d be a pretty big deal.\r\nJul 11, 2012\r\n18\r\n11\r\n#6\r\nThat's... horrifying.\r\nJust to confirm, you're using a stock device, unflashed box?\r\nDid you see the да folder in:\r\n/data/data/com.swe.dgbluancher/files\r\nHow did you discover your device was infected? If possible, can you name where you bought the device, like an\r\nAmazon link or similar?\r\nJul 11, 2012\r\n18\r\n11\r\n#7\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 4 of 10\n\nyes, stock. I bought four of these:\r\nThey were being blown out for ~ $14 each. Wonder why.....\r\nI can't claim credit, found your threads here. I was looking for options to flash linux to them in order to run klipper\r\nor kodi. Had taken a look around the stock android, and being paranoid that included preinstalled apps. I was\r\nactually thinking it was fairly clean compared to say an ATT motorola prepaid android phone or something. But\r\nthat \"luancher\" was there, for sure. WIthout uninstall or disable options\r\n#9\r\nIt seems to be a popular Android box over there. Here is the link to a megathread dedicated to that deivce:\r\n{Mod edit: Link removed. Oswald Boelcke}\r\nIt might be helpful to ask in that forum if anyone with one of these devices sees the folder:\r\n/data/data/com.swe.dgbluancher/files/да\r\n...and if so, let them know their device is compromised.\r\nThe firmware links being shared here and elsewhere have the malware built-in. Actually, I have yet to see a 'clean'\r\ndownloadable firmware for this box, anywhere on the Internet.\r\n#10\r\nyes, stock. I bought four of these:\r\nThey were being blown out for ~ $14 each. Wonder why.....\r\nI can't claim credit, found your threads here. I was looking for options to flash linux to them in order to\r\nrun klipper or kodi. Had taken a look around the stock android, and being paranoid that included\r\npreinstalled apps. I was actually thinking it was fairly clean compared to say an ATT motorola prepaid\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 5 of 10\n\nandroid phone or something. But that \"luancher\" was there, for sure. WIthout uninstall or disable\r\noptions\r\nThanks for the info. Really hard to believe these devices can be built for $14 with the reseller making a dollar or\r\ntwo per unit.\r\nDoes the foler /data/data/com.swe.dgbluancher/files/да exist on your device?\r\n#11\r\nTo be clear, com.swe.dgbluancher appears to be a simple open-source launcher that was rebuilt with the malware\r\nand packaged in the ROM. the presence of the launcher is not an indication of malware, but the \"/да\" folder\r\ndefinitely is.\r\nThe Universal Android Debloater will get rid of this easily, but I'm not sure that is enough to clean the device.\r\nThere may be more nasty stuff in the ROM I haven't yet found. For a safe replacement, I'm using Microsoft\r\nLauncher because it includes an entry point to the device's settings menu.\r\n#12\r\nOne last bit of traffic I can't account for:\r\nycxrl.com / li1470-135.members.linode.com (139.162.57.135)\r\nEvery few minutes the T95 wants to send \"something\" to ycxrl.com\r\n|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1\r\n|ycxrl.com|POST /terminal/client/apiInfo HTTP/1.1\r\nHow many of these things sold on Amazon and AliExpress?!\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 6 of 10\n\n#13\r\nUpdate -- The malware injects the system_server process. Looks to be deeply baked-into the ROM.\r\nIf I can't remove this malware, find a clean ROM, or get 'regular' Linux running, this T95 box is worse than\r\nuseless.\r\nPretty sophisticated malware, resembling CopyCat in how it works.\r\nSep 27, 2006\r\n223\r\n111\r\n#14\r\nThis was actually an interesting topic. Part of me isn't surprised because I've heard of a lot of these types of boxes\r\nand mobile devices used for stuff like botnets. I have a Xiaomi Mi box and am curious if they are also similar.\r\nIt makes me curious what a good modern android box is these days.\r\n#15\r\nXiaomi maybe not so much, but these vendors on Amazon operating with names like BLAÜMTRON could be up\r\nto anything apparently.\r\nIf other T95 owners can check their devices for DNS traffic to ycxrl.com it'd be a huge help to determine the\r\nextent of this problem.\r\n#16\r\nIt seems to be a popular Android box over there. Here is the link to a megathread dedicated to that\r\ndeivce:\r\n{Mod edit: Link removed. Oswald Boelcke}\r\nIt might be helpful to ask in that forum if anyone with one of these devices sees the folder:\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 7 of 10\n\n/data/data/com.swe.dgbluancher/files/да\r\n...and if so, let them know their device is compromised.\r\nThe firmware links being shared here and elsewhere have the malware built-in. Actually, I have yet to\r\nsee a 'clean' downloadable firmware for this box, anywhere on the Internet.\r\n@DesktopECHO\r\nI've removed the link to 4pda from your above post! 4pda is not only another phone related website (and not at all\r\naffiliated with xda-developers) but also well known for the distribution of malware and warez. Links or\r\nreferences to 4pda are not accepted on XDA.\r\nXDA Forum Rules (excerpt):\r\n...\r\n6. Do not post or request warez.\r\nIf a piece of software requires you to pay to use it, then pay for it. We do not accept warez nor do we\r\npermit members to request, post, promote or describe ways in which warez, cracks, serial codes or other\r\nmeans of avoiding payment, can be obtained or used. This is a site of developers, i.e. the sort of people\r\nwho create such software. When you cheat a software developer, you cheat us as a community.\r\n(...)\r\n11. Don’t post with the intention of selling something.\r\nDon’t use XDA to advertise your product or service. Proprietors of for-pay products or services,\r\nmay use XDA to get feedback, provide beta access, or a free version of their product for XDA\r\nusers and to offer support, but not to post with the intention of selling. This includes promoting\r\nsites similar / substantially similar to XDA-Developers.com.\r\nDo not post press releases, announcements, links to trial software or commercial services, unless\r\nyou’re posting an exclusive release for XDA-Developers.com.\r\nEncouraging members to participate in forum activities on other phone related sites is\r\nprohibited.\r\nOff-site downloads are permitted if the site is non-commercial and does not require registration.\r\nOff-site downloads from sites requiring registration are NOT encouraged but may be permitted\r\nif both of the following conditions are met:\r\nA) The site belongs to a member of XDA-Developers with at least 1500 posts and 2 years\r\nmembership, who actively maintains an XDA-Developers support thread(s) / posts, related to the\r\ndownload.\r\nB) The site is a relatively small, personal website without commercial advertising / links (i.e. not\r\na competitor forum-based site with purposes and aims similar to those of XDA-Developers.com.)\r\n...\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 8 of 10\n\nPlease refrain from sharing of such links in future! Thanks for your cooperation.\r\nRegards\r\nOswald Boelcke\r\nSenior Moderator\r\nDec 2, 2022\r\n77\r\n21\r\n#19\r\nXiaomi maybe not so much, but these vendors on Amazon operating with names like BLAÜMTRON\r\ncould be up to anything apparently.\r\nIf other T95 owners can check their devices for DNS traffic to ycxrl.com it'd be a huge help to\r\ndetermine the extent of this problem.\r\nI would love to check for this, what do I need..??\r\nMar 13, 2010\r\n442\r\n117\r\n#20\r\nSo, I just bought a H96 MAX with RK3528 CPU, 4G+64GB Storage and Android 13 and was curious if these are\r\ninfected, too.\r\nThis is a list how I tested the device:\r\nConnected the Device to a empty and isolated vLAN\r\nDid a Network Package analysis for traffic coming from that vLAN, no suspicious traffic detected\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 9 of 10\n\nScanned the device with a forensics tool called MVT. Root Binary \"su\" together with \"busybox\" detected.\r\nMeans the device is rooted. None Malware / Virus detected.\r\nDumped all user apks and uploaded them to VirusTotal. No detections, everything is clean.\r\nGained root access via su binary, dumped all system apks and uploaded them to VirusTotal. 2 minor\r\ndetections, analyzed the behavior of these deeper, false positive in my opinion. Everything else is clean.\r\nChecked if known malware / virus folder /data/system/Corejava or file\r\n/data/system/shared_prefs/open_preference.xml exists in filesystem. They do not exits.\r\nADB has no confirmation, if enabled in Android Settings, every device can connect\r\nSU has no confirmation nor any notification on screen\r\nConclusion:\r\nThe Device looks clean, beside 2 minor false positives there was no suspicious activity or malware / virus\r\ndetected.\r\nThe Device is rooted by default with su. This is dangerous because any app can request root and the user\r\nwouldn't notice. I recommend to replace the binary with some solution that gives feedback to the user.\r\nAnyone in the same network can connect to the device via ADB without any confirmation. Keep that in\r\nmind and may disable ADB if not needed.\r\nSource: https://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nhttps://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/"
	],
	"report_names": [
		"owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567"
	],
	"threat_actors": [],
	"ts_created_at": 1775434550,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90cae1dd94e2f5dd0c13d219ea528f58e3b8abd7.pdf",
		"text": "https://archive.orkl.eu/90cae1dd94e2f5dd0c13d219ea528f58e3b8abd7.txt",
		"img": "https://archive.orkl.eu/90cae1dd94e2f5dd0c13d219ea528f58e3b8abd7.jpg"
	}
}