
The devices, manufactured by little-known third-party vendors based in China, have little reputation to protect. The sale of these devices reveals some glaring holes in public cybersecurity infrastructure. For instance, a basic network analysis would have found these devices communicating with C&C servers and having wide-open adb ports. Though it would be impractical to conduct a thorough security audit for all merchandise sold on Amazon, a more thorough vetting process could be introduced before selling consumer-grade IoT devices. The widespread availability of these low-end devices present a danger to consumers, their networks, and the security and stability of the internet at large. Without access to a clean version of the system firmware, consumers are left without a clear way to clean their system of the malware.

The device firmware was signed with a testing key, and no clean or production-ready firmware was made available to consumers. The Android Debugger gives access to control a device, including issuing commands and installing apps. What's more, the T95 smart set-top box came out-of-the-box with the Android Debugger ( adb ) wide open and available over WiFi. EFF was able to independently confirm the researcher’s findings.

Having reached out to AllWinner, the researcher received a response denying the presence of malware and attributing the malicious traffic observed to the presence of Logcat on the system-a fact which is wholly unrelated. The researcher also extracted a Stage-1 payload for the malware and contacted Linode, who had been hosting some of the C&C servers, getting them to shut them down. Affected models include the AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10.īy looking at the traffic being sent by these devices, the researcher was surprised to find a number of DNS requests being sent for domains publically known to be botnet Command and Control (C&C) servers. The malware, discovered by security researcher Daniel Milisic, adds your smart set-top box to a botnet for initiating coordinated attacks. Certain Android TV Box models from manufacturers AllWinner and RockChip, available for purchase on Amazon, come pre-loaded with malware from the BianLian family, a variant of which we investigated last year.
