A few weeks back, Hackread.com reported about a malware-infected Android TV box available on Amazon: the T95 TV box. The box contained pre-installed malware, which was discovered by a Canadian developer and security systems consultant, Daniel Milisic. Now the same TV box is in the news again, and the person who has identified security threats is Malwarebytes mobile malware researcher Nathan Collier. He purchased this device from Amazon to further probe and instantly realized something was off about this TV box. Collier discovered that regardless of whether the toggle switch was on or off, the box was rooted. For your information, in an Android device, rooting refers to acquiring the highest level of access, aka root. It allows the user to modify system-level directories and files, which otherwise is not possible. Developers require this heightened access to test the device in the pre-production phase. It must be noted that Android devices aren't rooted during production. If the command adb root is run on an under-production Android device, it will display the error "Adb cannot run." Conversely, on a rooted device, the message appears as "Restarting as root" or "Adb is already running as root." Collier performed his research on the Android TV box using a few tools, including Android Debug Bridge from the Android Studio, Telerik Fiddler Classic internet traffic monitor with exceptional HTTPS capturing capabilities, NoRoot Firewall app that allows or denies network traffic as per an app's requirement, and LogCat command line tool. Collier hypothesized that DGBLuancher was responsible for APK loading and running Corejava classes. To prove this hypothesis, Collier uninstalled DGBLuancher and kept Corejava classes. The malicious traffic stopped immediately without DGBLuancher, Ergo, Corejava classes. Collier then reinstalled DGBLuancher, and this time he removed Corejava classes. Dex, too, but again the malicious traffic stopped, and no new traffic was produced. Collier concluded that the DGBLuancher was the APK loading Corejava classes. Dex from the /data/system/Corejava, but it reappeared immediately after a reboot and when DGBLuancher was uninstalled Corejava classes. This strengthened the hypothesis that DGBLuancher was the culprit as it created Corejava classes. Collier learned that system server ran more commands in the background than just create /data/system/Corejava. DGBLuancher used system server to create Corejava classes. Collier couldn't determine why Corejava classes. In a blog post, Collier recommends a factory reset before proceeding to fix the issue. A factory reset will remove the malware that might have been downloaded during this time. Avoid connecting the box to a network until you install adb onto a Linux, Windows, or Mac environment and put the box into Developer Mode. Connect your PC to the box, open a terminal such as Command Prompt on PC, and type: adb devices, which will display an ID number and a list of devices attached. Check out Nathan Collier's blog on Malwarebytes for a detailed remediation process. More Pre-Installed Malware News Malware targeting IoT devices and Android TV globally Monero Mining Malware Infecting Android Smart TVs & phones Hacked Android phones mimicked TV products for fake ad views Amazon Fire TV, Fire TV Stick hit by crypto mining Android malware.
This Cyber News was published on www.hackread.com. Publication date: Wed, 01 Feb 2023 21:24:03 +0000