It would appear that the supply chain has come under attack again for Android users, https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/ And it’s confirmed by MalwareBytes: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon
Indicators of Compromise
Root Access
It would appear that in the Android About system settings, a “root switch” has been added to compromised devices. If this is found, then it’s safe to initiate a return or replacement.
Shell Games
If you connect to the device to adb, and you run the shell utility. The compromised systems (via adb shell pm list packages -f
) are identifying as “walleye” within the shell, which is an old Google Pixel 2
CoreJava Directories Ought Not Be There
On the Android’s filesystems, compomised hosts have a directory called: /data/system/Corejava. It contains malicious file objects, Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:
hxxps://dy.kr.wildpettykiwi.info/dykr/update
Conclusion
The MalwareByes article: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon offers steps to remediate this on the compromised device. Despite the fact that this may be a dirty deal, it seems common for unsuspecting users on a budget to fall victim to these attacks.