Skip to content
Home » T95 Android TV (Allwinner H616) includes malware right out-of-the-box

T95 Android TV (Allwinner H616) includes malware right out-of-the-box


A few months ago I purchased a [T95 Android TV](https://m.media-amazon.com/images/I/716SS0ze8pL.jpg) box; it came with Android 10 (with working Play store) and an Allwinner H616 processor. It’s a small-ish black box with a blue swirly graphic on top and a digital clock on the front. There’s got to be thousands (or more!) of these boxes already in use globally.

There are [tons of them available for purchase on Amazon](https://www.amazon.com/s?k=t95+h616&crid=2MYAV99P2V0S3&sprefix=t95+h616%2Caps%2C121&ref=nb_sb_noss_2) and AliExpress.

This device’s ROM turned out to be very very sketchy — Android 10 is signed with test keys, and named “Walleye” after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If test keys weren’t enough of a bad omen, I also found ADB wide open over the Ethernet port – right out-of-the-box.

I purchased the device to run [Pi-hole](https://github.com/DesktopECHO/Pi-hole-for-Android) among other things, and that’s how I discovered just how nastily this box is festooned with malware. After running the Pi-hole install I set the box’s DNS1 and DNS2 to [127.0.0.1](https://127.0.0.1) and got a [hell of a surprise](https://forum.xda-developers.com/attachments/1668625298269-png.5763127/). The box was reaching out to many known, **active** malware addresses.

After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using `tcpflow` and `nethogs` to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.

The final bit of malware I could not track down injects the `system_server` process and looks to be deeply-baked into the ROM. It’s pretty sophisticated malware, resembling [CopyCat ](https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf)in the way it operates. It’s not found by any of the AV products I tried — If anyone can offer guidance on how to find these hooks into `system_server` please let me know here or via PM.

The closest I could come to neutralizing the malaware was to use Pi-hole to change the DNS of the command and control server, **YCXRL.COM** to *127.0.0.2*. You can then monitor activity with netstat:

netstat -nputwc | grep 127.0.0.2

tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server
tcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT –
tcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 –
tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server
tcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT –
tcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 –
tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server
tcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT –
tcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 –
tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server

I also had to create an iptables rule to redirect all DNS to the Pi-hole as the malware/virus/whatever will use external DNS if it can’t resolve. By doing this, the C&C server ends up hitting the Pi-hole webserver instead of sending my logins, passwords, and other PII to a Linode in Singapore (currently **139.162.57.135** at time of writing).

1672673217|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673247|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673277|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673307|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673907|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673937|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673967|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673997|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0

I’m not ok with just neutralizing malware that’s still active, so this box has been removed from service until a solution can be found or I impale it with a long screwdriver and toss this Amazon-supplied malware-tainted bomb in the garbage where it belongs.

The main take-away here: Don’t trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys. They are stealing your data and (unless you can watch DNS logs) do so without a trace!



View RedditView Source

Leave a Reply

Your email address will not be published. Required fields are marked *