{
	"id": "f1e17384-fcc6-4bc0-b25e-405cf4524f25",
	"created_at": "2026-04-06T00:17:43.740921Z",
	"updated_at": "2026-04-10T03:20:32.219696Z",
	"deleted_at": null,
	"sha1_hash": "bf2c3177d6444f11f050bb399161a23967c10ff9",
	"title": "Android TV box on Amazon came pre-installed with malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2629440,
	"plain_text": "Android TV box on Amazon came pre-installed with malware\r\nBy Bill Toulas\r\nPublished: 2023-01-12 · Archived: 2026-04-05 13:11:34 UTC\r\nA Canadian systems security consultant discovered that an Android TV box purchased from Amazon was pre-loaded with\r\npersistent, sophisticated malware baked into its firmware.\r\nThe malware was discovered by Daniel Milisic, who created a script and instructions to help users nullify the payload and\r\nstop its communication with the C2 (command and control) server.\r\nThe device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through Amazon,\r\nAliExpress, and other big e-commerce platforms.\r\nhttps://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIt is unclear if this single device was affected or if all devices from this model or brand include the malicious component.\r\nMalware on the TV streaming box\r\nThe T95 streaming device uses an Android 10-based ROM signed with test keys and the ADB (Android Debug Bridge) open\r\nover Ethernet and WiFi.\r\nThis is a suspicious configuration as ADB can be used to connect to devices for unrestricted filesystem access, command\r\nexecution, software installation, data modification, and remote control. \r\nHowever, as most consumer streaming devices sit behind a firewall, threat actors will likely be unable to connect to ADB\r\nremotely.\r\nMilisic says he initially bought this device to run the Pi-hole DNS sinkhole, which protects devices from unwanted content,\r\nadvertisements, and malicious sites without installing software.\r\nWhile analyzing the DNS request in Pi-hole, Milisic discovered that the device was attempting to connect to several IP\r\naddresses associated with active malware.\r\nList of malicious domains T95 attempts to connect to (GitHub)\r\nMilisic believes the malware installed on the device is a strain that resembles 'CopyCat,' a sophisticated Android\r\nmalware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign where it\r\ninfected 14 million Android devices to make its operators over $1,500,000 in profits.\r\nThe analyst tested the stage-1 malware sample on VirusTotal, where it returns only 13 detections out of 61 AV engine scans,\r\nclassified with the generic term of an Android trojan downloader.\r\nhttps://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/\r\nPage 3 of 5\n\n\"I found layers on top of layers of malware using 'tcpflow' and 'nethogs' to monitor traffic and traced it back to the offending\r\nprocess/APK, which I then removed from the ROM,\" explains the analyst in a GitHub post.\r\n\"The final bit of malware I could not track down injects the 'system_server' process and looks to be deeply baked into the\r\nROM.\"\r\nThe analyst observed that the malware attempted to fetch additional payloads from 'ycxrl.com,' 'cbphe.com,' and\r\n'cbpheback.com.'\r\nBecause finding a clean ROM to replace the malicious is just as challenging, Milisic resorted to changing the DNS of the C2\r\nto route the requests via the Pi-hole web server, making it possible to block them.\r\nUsers of T95 are recommended to follow these two simple steps to clean their device and nullify the malware that runs on it:\r\n1. Reboot into recovery mode or perform “Factory Reset” from the settings menu.\r\n2. Upon reboot, connect to ADB via USB or WiFi-Ethernet and run this script.\r\nTo confirm that the malware has been rendered harmless, run “ adb logcat | grep Corejava ” and verify that the chmod\r\ncommand failed to execute.\r\nHowever, as these devices are fairly inexpensive on Amazon, it may be wiser to discontinue using them if you can afford to\r\ndo so.\r\nAn ambiguous electronics market\r\nUnfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to\r\nglobal market availability.\r\nIn many cases, these devices are sold under multiple brands and device names, with no clear indication of where they\r\noriginate.\r\nFurthermore, as the devices commonly flow through many hands, vendors and re-sellers have several opportunities to load\r\ncustom ROMs on the devices, potentially malicious ones.\r\nEven if most e-commerce sites have policies to prevent selling devices pre-loaded with malware, enforcing these rules by\r\nscrutinizing all electronics and confirming they're free of sophisticated malware is practically impossible.\r\nTo avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA\r\nShield, Amazon Fire TV, and Roku Stick.\r\nBleepingComputer attempted to contact the listed seller on Amazon but could not find any website or email address\r\nassociated with the brand.\r\nUpdate 1/13 - Daniel Milisic shared more information about the discovered malware with BleepingComputer, leading to\r\nminor corrections and additions in the article.\r\nhttps://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/\r\nhttps://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/android-tv-box-on-amazon-came-pre-installed-with-malware/"
	],
	"report_names": [
		"android-tv-box-on-amazon-came-pre-installed-with-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434663,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf2c3177d6444f11f050bb399161a23967c10ff9.pdf",
		"text": "https://archive.orkl.eu/bf2c3177d6444f11f050bb399161a23967c10ff9.txt",
		"img": "https://archive.orkl.eu/bf2c3177d6444f11f050bb399161a23967c10ff9.jpg"
	}
}