Skip to content
Home » T95 Android TV (Allwinner H616) includes malware right out-of-the-box

T95 Android TV (Allwinner H616) includes malware right out-of-the-box

A few months ago I purchased a [T95 Android TV]( box; it came with Android 10 (with working Play store) and an Allwinner H616 processor. It’s a small-ish black box with a blue swirly graphic on top and a digital clock on the front. There’s got to be thousands (or more!) of these boxes already in use globally.

There are [tons of them available for purchase on Amazon]( and AliExpress.

This device’s ROM turned out to be very very sketchy — Android 10 is signed with test keys, and named “Walleye” after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If test keys weren’t enough of a bad omen, I also found ADB wide open over the Ethernet port – right out-of-the-box.

I purchased the device to run [Pi-hole]( among other things, and that’s how I discovered just how nastily this box is festooned with malware. After running the Pi-hole install I set the box’s DNS1 and DNS2 to []( and got a [hell of a surprise]( The box was reaching out to many known, **active** malware addresses.

After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using `tcpflow` and `nethogs` to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.

The final bit of malware I could not track down injects the `system_server` process and looks to be deeply-baked into the ROM. It’s pretty sophisticated malware, resembling [CopyCat ]( the way it operates. It’s not found by any of the AV products I tried — If anyone can offer guidance on how to find these hooks into `system_server` please let me know here or via PM.

The closest I could come to neutralizing the malaware was to use Pi-hole to change the DNS of the command and control server, **YCXRL.COM** to **. You can then monitor activity with netstat:

netstat -nputwc | grep

tcp6 1 0 CLOSE_WAIT 2262/system_server
tcp 0 0 TIME_WAIT –
tcp 0 0 FIN_WAIT2 –
tcp6 1 0 CLOSE_WAIT 2262/system_server
tcp 0 0 TIME_WAIT –
tcp 0 0 FIN_WAIT2 –
tcp6 1 0 CLOSE_WAIT 2262/system_server
tcp 0 0 TIME_WAIT –
tcp 0 0 FIN_WAIT2 –
tcp6 1 0 CLOSE_WAIT 2262/system_server

I also had to create an iptables rule to redirect all DNS to the Pi-hole as the malware/virus/whatever will use external DNS if it can’t resolve. By doing this, the C&C server ends up hitting the Pi-hole webserver instead of sending my logins, passwords, and other PII to a Linode in Singapore (currently **** at time of writing).

1672673217||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673247||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673277||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673307||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673907||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673937||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673967||POST /terminal/client/eventinfo HTTP/1.1|404|0
1672673997||POST /terminal/client/eventinfo HTTP/1.1|404|0

I’m not ok with just neutralizing malware that’s still active, so this box has been removed from service until a solution can be found or I impale it with a long screwdriver and toss this Amazon-supplied malware-tainted bomb in the garbage where it belongs.

The main take-away here: Don’t trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys. They are stealing your data and (unless you can watch DNS logs) do so without a trace!

View RedditView Source

Leave a Reply

Your email address will not be published. Required fields are marked *