Thousands of Android/TV Ship with Malware – Week 7

It would appear that the supply chain has come under attack again for Android users, https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/ And it’s confirmed by MalwareBytes: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon

Indicators of Compromise

Root Access

It would appear that in the Android About system settings, a “root switch” has been added to compromised devices. If this is found, then it’s safe to initiate a return or replacement.

Shell Games

If you connect to the device to adb, and you run the shell utility. The compromised systems (via adb shell pm list packages -f) are identifying as “walleye” within the shell, which is an old Google Pixel 2

CoreJava Directories Ought Not Be There

On the Android’s filesystems, compomised hosts have a directory called: /data/system/Corejava. It contains malicious file objects, Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:

hxxps://dy.kr.wildpettykiwi.info/dykr/update

Conclusion

The MalwareByes article: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon offers steps to remediate this on the compromised device. Despite the fact that this may be a dirty deal, it seems common for unsuspecting users on a budget to fall victim to these attacks.