Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware.
This Android TV box model is available on Amazon and AliExpress for as low as $40.
The device came with Android 10 (with working Play store) and an Allwinner H616 processor. Milisic discovered pre-loaded malware into its firmware.
Milisic purchased the T95 Android TV box to run Pi-hole, which is a Linux network-level advertisement and Internet tracker blocking application.
After running the Pi-hole he noticed that the box was reaching addresses associated with malware campaigns.
The device uses an Android 10 operating system that was signed with test keys. The expert also discovered that it had the Android Debug Bridge (ADB) reachable through the Ethernet port.
The malicious code embedded in the firmware of the device acts like the Android CopyCat malware. The experts pointed out that all the AV products he tested were not able to detect the threat.