Android TV box comes totally infected
The Internet of Things is very interesting for developers and distributors of malware. Adware, for example, can often go undetected on small devices in particular, since users rarely think about updates or security measures. In the current case, Canadian security researcher Daniel Milisic was able to transfer an Android TV box because it had made unusual requests to the Internet.
how bleeding computer reported that Milisic had acquired the “T95 Android TV box with AllWinner T616 processor” model, which is listed on many other major platforms in addition to Amazon – including retailers in Germany. To make things even more difficult, the same devices are often sold under different brands and names. However, at the current time it is still unclear whether all devices of this model or even this brand contain the harmful component. Milisic noticed the suspicious activity of the TV box when setting up the Pi-Hole software, which can be used to control connections at the DNS level. As the security researcher found out when examining the DNS queries, the device tried to establish a connection with a whole range of IP addresses, which in turn are associated with malware.
old acquaintance
According to an initial analysis, the Android TV box appears to be running an offshoot of the “CopyCat” malware, a very sophisticated piece of malware that was first discovered in 2017. “I found layers and layers of malware (…) and traced it back to the attacking process, which I then removed from ROM,” the analyst explains in a GitHub post. “The last piece of malware I couldn’t track down injects the ‘system_server’ process and appears to be deeply embedded in the ROM.”
See also:
