The T95 is one of many Android TV Boxes available on the market powered by Allwinner H616 SoC. Interestingly, one of the GitHub users (DesktopECHO) reported having an unpleasant surprise after purchasing the T95 H616 Android TV Box from the Amazon store. More about T95 H616 malware infection, and how you can clean your device below.
T95 H616 Android TV Box with malware details
As reported by DesktopECHO via Github, he purchased the T95 H616 Android TV Box on the Amazon store.
“A few months ago I purchased a T95 Android TV box; it came with Android 10 (with working Play store) and an Allwinner H616 processor. It’s a small-ish black box with a blue swirly graphic on top and a digital clock on the front. There’s got to be thousands (or more!) of these boxes already in use globally.
This device’s ROM turned out to be very very sketchy — Android 10 is signed with test keys, and named “Walleye” after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If test keys weren’t enough of a bad omen, I found ADB wide open over Ethernet and WiFi – right out-of-the-box. (the aforementioned ADB is, for the record, the Android debug console.)
I purchased the device to run Pi-hole among other things, and that’s how I discovered just how nastily this box is festooned with malware. After running the Pi-hole install I set the box’s DNS1 and DNS2 to 127.0.0.1 and got a hell of a surprise. The box was reaching out to many known, active malware addresses.”
How to check if your T95 H616 has malware?
Does your T95 Android TV Box contain a folder named:
/data/system/Corejava
…and a file named
/data/system/shared_prefs/open_preference.xml?
Your T95 is infected with malware pre-installed, ready to do whatever the C2 servers decide. Yes, malware from Amazon straight to your door! If they insist on selling these devices they really should add an “Includes Malware” category in the Android TV section.
More about malware detection and analysis can be found here. By the way, it reveals the cleaning instructions.
Cleanup Instructions
- Reboot into recovery to reset the device or use the Reset option in the ‘about’ menu to “Factory Reset” the T95
- When device comes back online, connect to
adbvia USB A-to-A cable or WiFi/Ethernet - Run the script (WiP!)
Will we find malware on most T95s sold on Amazon? or also on devices available on Aliexpress? and not only we mean the T95 H616 Android TV Box. As usual, it’s hard to say no one has examined the scale.
What can we advise? If you buy an Android TV Box streaming device, pay attention to whether you buy a device from a well-known manufacturer that provides constant access to firmware updates, and buy certified devices.
Discussion about this post