X-Industry

Android TV

Posted by Bill Schenkelberg on February 6, 2023 at 11:34am

10957340299?profile=RESIZE_400xA few weeks ago, Hackread.com reported about a malware-infected Android TV box available on Amazon: the T95 TV box.[1]  The box contained pre-installed malware, which was discovered by a Canadian developer and security systems consultant.   Now the same TV box is in the news again, and the person who has identified security threats is a Malwarebytes mobile malware researcher.  He purchased this device from Amazon to further probe and instantly realized something was off about this TV box.  He discovered that regardless of whether the toggle switch was on or off, the box was rooted.[2]

What is Rooting?  For your information, in an Android device, rooting refers to acquiring the highest level of access, aka root.  It allows the user to modify system-level directories and files, which otherwise is not possible.  Developers require this heightened access to test the device in the pre-production phase.  However, it must be noted that Android devices aren’t rooted during production.  If the command adb (Android Debug Bridge) root is run on an under-production Android device, it will display the error “adb cannot run.”[3]  Conversely, on a rooted device, the message appears as “restarting as root” or “adb is already running as root.”

Tools Used in the ResearchThe researcher performed his analysis on the Android TV box using a few tools, including Android Debug Bridge from the Android Studio, Telerik Fiddler Classic internet traffic monitor with exceptional HTTPS capturing capabilities, NoRoot Firewall app that allows or denies network traffic as per an app’s requirement, and LogCat command line tool.

Performing the Research on TV95 TV Box – The analysis hypothesized that DGBLuancher was responsible for APK loading and running Corejava classes.dex.  To prove this hypothesis, he uninstalled DGBLuancher and kept Corejava classes.dex.  The malicious traffic stopped immediately without DGBLuancher, Ergo, Corejava classes.dex cannot run.  He then reinstalled DGBLuancher, and this time he removed Corejava classes.dex, too, but again the malicious traffic stopped, and no new traffic was produced.  This means the traffic required Corejava classes.dex to be produced.  Hence, he concluded that the DGBLuancher was the APK loading Corejava classes.dex.  Later, the researcher deleted Corejava classes.dex from the /data/system/Corejava, but it reappeared immediately after a reboot and when DGBLuancher was uninstalled Corejava classes.dex stopped reappearing.  This strengthened the hypothesis that DGBLuancher was the culprit as it created Corejava classes.dex. 

Next he had to find out why Corejva classes.dex reappeared.  He learned that system_server ran more commands in the background than just create /data/system/Corejava. DGBLuancher used system_server to create Corejava classes.dex, so it was not the culprit but conduit.  He could not determine why Corejava classes.dex reappeared.

10957340863?profile=RESIZE_584xFigure 1.  A T95 Android TV box sold on Amazon

How to Fix the Issue?  In a blog post, this researcher recommends a factory reset before proceeding to fix the issue.  A factory reset will remove the malware that might have been downloaded during this time.  Afterwards, avoid connecting the box to a network until you install adb onto a Linux, Windows, or Mac environment and put the box into Developer Mode.  Turn on USB0 device mode to install adb. Connect your PC to the box, open a terminal such as Command Prompt on PC, and type: adb devices, which will display an ID number and a list of devices attached.  Now you can remove the DGBLuancher.  Check out Nathan Collier’s blog on Malwarebytes for a detailed remediation process.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

[1] https://www.hackread.com/amazon-android-tv-box-malware/

[2] https://www.hackread.com/amazon-t95-tv-box-pre-installed-malware/

[3] https://developer.android.com/studio/command-line/adb

Views: 33
Tags: ir-23-037-001, android tv, amazon, malware, tv95
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!