Android TV Box On Amazon Came Pre-Installed With Malware

A Canadian systems security consultant discovered that an Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware. BleepingComputer reports: The malware was discovered by Daniel Milisic, who created a script and instructions to help users nullify the payload and stop its communication with the C2 (command and control) server. The device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through Amazon, AliExpress, and other big e-commerce platforms. It is unclear if this single device was affected or if all devices from this model or brand include the malicious component. Milisic believes the malware installed on the device is a strain that resembles 'CopyCat,' a sophisticated Android malware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign where it infected 14 million Android devices to make its operators over $1,500,000 in profits. The analyst tested the stage-1 malware sample on VirusTotal, where it returns only 13 detections out of 61 AV engine scans, classified with the generic term of an Android trojan downloader. [...] Unfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to global market availability. In many cases, these devices are sold under multiple brands and device names, with no clear indication of where they originate. [...] To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Read more of this story at Slashdot.