Follow-up to my earlier report about the stock firmware on these Android TV devices, with a script to de-fang Stage 0 by preventing the payload from downloading (chattr +i FTW!)
For what it's worth that domain in your repo is also listed in the 1Hosts block-list [1] but only in the Xtra category, not sure why. It seems that is a known malware site. Oddly enough it is not listed in the PiHoleBlocklist [2]
I'm not too surprised, as the malware goes out of its way to use ycxrl.com -- Going to extents like using 8.8.8.8 instead of the default DNS server, and trying a DNS server on port 5353.
Using those techniques, nobody would get a chance to see this second fall-back.
EDIT to clarify: Thanks for listing this, it's definately good to list these addresses as 'bad' for others to be aware, but DNS blocking won't slow down this malware, not even a bit.
Here's what it took for me to see cbpheback.com -- Install Pi-hole on the Android device and add these rules to iptables:
> ..but DNS blocking won't slow down this malware, not even a bit.
Yep, in a world of encrypted DNS transports, it is a folly to believe that DNS-based blocks would be affective at thwarting any sort of malware. That said, some IoC (indicators of compromise) setups do rely on it nevertheless.
just because something new comes along doesn't mean you stop doing the thing that worked for all of the older/existing things. otherwise, the existing things start working.
you make it sound like people dumb for relying on something that works in certain situations. that's just hubris on your part if that's what you actually feel.
this is where I'm drawing my conclusion. no snake oil accusations necessary. the sentence is read with an implied "nevertheless, [dumbasses|idiots|noobies]" type of ending
Another thing to look at if you have time is packet characteristics. I have found that many malware and bot installations appear to use really odd network libraries. Just do a tcpdump for a while and see what sticks out, such as missing MSS, really high TTL, missing SackOK, timestamps enabled this seems to be default on Android. Also look at the TCP header sizes vs. the normal TCP header sizes from legit devices on your network.
tcpdump -i any -p -NNnnt -s0 -c512 proto 6 and 'tcp[13] == 2' # get syn packets, use "-i any" to see direction
I'm not sure where malware authors find their libraries but they do not try at all to look like normal traffic [Edit] or perhaps their government is telling them to add/remove specific options.
Thanks for the guidance here. Where I'm really stuck is when tcpdump tells me about the presence of the offending traffic and correlating process. In this case, it's the Android "system_server" process and I'm not sure how to find the hook into it that downloads the malware.
In hindsight I should have made this an Ask HN post...
just reading you comment about differing packets, I was already thinking that seems like a dumb thing to have look different. Then you end with exactly that. Just goes to so that the world is so insecure that even minimal effort will get quite a return in this world. If it gets a big enough return so that even those that do stop it still makes it worth while, then why spend energy trying to do more. Hell, even Bill Gates is attributed to saying something about why should he pay for optimizing when disk space and cpu is always increasing faster than any optimizations could.
ycxrl.com (registered at godaddy with privacy) is the command-and-control domain mentioned in the article, which currently resolves to 192.53.113.52 (Linode). DNS is run through DOMAINCONTROL.COM, which seems to be a nextcloud instance?
I remember looking at a few of these cheapo "androidtv" boxes. My instant reaction was that the entire build seemed super shady and I wouldn't be surprised if they were full of keyloggers and malware. Fortunately I never signed in with a real google account. Some aren't even real AndroidTV, they identify as an Android (not AndroidTV) device in several spots, probably to allow installation of google play applications that aren't designed for androidtv. They often come with multiple app stores, in addition to Google Play (which seems like an unlicensed hack, I would have thought Google would require a minimum of quality for approving a device to carry Google Play, especially for AndroidTV - heck, even uploading a closed alpha testing application that is AndroidTV enabled to google play requires a lot more reviews than regular android apps). All kinds of super weird processes running, some with bundle ids such as just "a" or "com.example.a" (instead of "com.example.realcompanyname.whatever"). If I remember correctly they also came pre-rooted with su/sudo setuid root. The CPU was super weak but they seem to have some sort of hardware accelerated H.264 decoding, that's probably why they can stream and play online HD video, but the minute you try to do anything outside of regular streaming, it is painfully obvious that the chip is weaker than a raspberry pi 1.
To be honest I'm surprised Google is not cracking down hard on this, because it absolutely tarnishes the Android brand. They really feel like a "warez" version of AOSP plus cracked Google Play. I half expected "Google Play Protect" to throw up warnings about the device being non-genuine, but I actually never saw anything of the sorts.
> I would have thought Google would require a minimum of quality for approving a device to carry Google Play
iiic they require a license to redistribute their binaries, including Google Play. Obviously these boxes running a stolen phone ROM have not paid the licence fee.
As for the rest, these Allwinner chips are actually pretty good, but they're crippled by proprietary drivers and closed device tree. With open drivers and proper software support, they'd probably be equivalent to a Raspberry Pi 3 or better.
I love Android but the ecosystem is already ruined, both by vendor cruft like Samsung's sluggish UI, and by Google Play store being filled with microtransaction cancer. Google Play was good maybe 8 years ago but the lure of Google getting a cut of everyone's IAP destroyed it long ago.
Some obscure cheapo unenforceable Chinese copyright violation has almost no effect in comparison.
I also have F-Droid and Termux installed, but to say this offers a complete or optimal Android experience is false.
There are many good apps only on Google Play, if you know where to look, usually specifically for the app name or by trawling through a dozen inferior alternatives first.
The chances of the best mist respectful apps being suggested to you instead of the Editor Choice in-app-purchase garbage are zero.
That's if you don't consider having rootkit-like Google play services as a threat vector or don't mind its impact on the Privacy/Battery backup in the first place.
> To be honest I'm surprised Google is not cracking down hard on this, because it absolutely tarnishes the Android brand. They really feel like a "warez" version of AOSP plus cracked Google Play.
Nobody's using these boxes for anything besides pirated IPTV. The market for Android boxes has existed for a decade.
There is not going to be much crossover between people buying hardware like this (to view pirated cable), and the people Google markets Chromecast/Chromeboxes too, because all those do is show paid/ad-funded 'legit' content.
Welp. Had one running for years. ADB'd into it and no sign of an infection despite it being the exact one to be. I don't use anything important on it so I'm considering burning it. OP, do you know of any way to flash a clean OS onto it? If the malware is as deep as it is described maybe a full system reinstall would be best instead of just uninstalling known badware.
I'm with you on that. There are efforts underway to get plain-old Linux running, but it's some time away as this chip only went into mainline as of kernel 6.0
Wow sorry to hear that. If you can, check if the device is still available over ADB. If it is, try re-running the script.
Not sure what happened in your case, I flashed many ROMs and ran the script against them to see if anything bad would happen. No issues.
In any case it won't be a Hard Brick. Power off, hold [volume-up] insert power jack and tap the [power] button 10 times. (I think. I lost my remote ages ago and can't check.)
Nice properties of the Raspberry Pi SoC devices include that there are brands involved that aren't going to fly-by-night, and the brands and the people behind them could be reached by civil and criminal action.
Of course, that doesn't fully prevent malware, but it's a more reassuring than buying something that fell off the back of a truck, in a dark alley(baba).
These things also show up on Amazon. I think the real problem is Allwinner. I've dealt with them before and it was nightmarish.
If you want to buy their chips, they insist on setting you up with one of their partners. Fair enough, but that other company is an Allwinner employee's side hustle. They ended up selling us boards that looked like surplus from a settop box project. Outdated, weirdly modified Android version, Google stuff but no license, lots of diagnostic tools installed and ADB wide open like in the article. No source code provided, even though it was agreed upon. We managed to get the source, but it wouldn't build. Then I flew over to our factory in China and asked to meet the guy, so we can sit down and he can show me how to build it. He never came of course, but we suddenly got a mail with the correct source... That's just a fraction of the stories we had with them.
With all the development effort, RMA cases and lost sales I would say our company lost a bunch of money thanks to Allwinner. I wonder how Allwinner still manages to exist. Maybe their stuff is "good enough" in those cases where cheap trumps everything else? We did stick with them for quite a long time and sold a couple of their boards after all...
Thanks for this fascinating insight. The jankyness you describe lines-up exactly with what I'm seeing here.
If H616 was the mainstream/volume chip box to have in 2021, then I'm super-interested to see what their 2023 H618 boxes look like. They are all over Amazon with loads of reviews on YouTube, just like its predecessor.
Considering the interest this write-up has generated I'm inclined get one and 'take the bullet' to see if this behaviour is continues. Given your insight about how these chips get sold, chances seem quite high.
Yeah, I must admit that I have a morbid fascination with these devices. I mean they are cheap and hackable after all. And after reading your article I also thought about getting a new one to see what they are up to these days :-D.
> Maybe their stuff is "good enough" in those cases where cheap trumps everything else?
Well doh.
First of those cheap multimedia CPUs that figures out that having good docs/"out of the box" working open support gives them sales will eat the market.
Also aren't allwinner chips one of better mainstream kernel supported ones out of ARM bunch ?
> Nope. While basic Linux support is slowly materializing, two major blockers are still at the same spot - HDMI audio (no useful driver) and bug in display driver (big code change may be required to fix it).
> "Nice properties of the Raspberry Pi SoC devices..."
I will only trust devices that have readily available, fully opensource platform firmware, bootloader, and OS. That beats some blind trust in "a massive blob that has control over everything and runs on an independent CPU from OS, because companies would not do bad things, because...brand??" anytime.
The "T95" is likely an unbranded TV box and some people that bought it, got pre-installed malware in it. Is that the case with all T95 TV boxes? We don't know. Likely but we don't know.
Did the seller infect the TV boxes with the malware before selling? Probably.
Is this some malware that is implemented in the hardware of the TV box? Hell, no.
"work a little" is you click on the article and it tells you what it's about in the first couple of paragraphs. Or you do what many people do and go straight to the comments and they tell you. All of the stuff you typed above is not going to get resolved in a title anyway.
Here's a couple of specific mod comments if you didn't get that far in the search results:
Ask HN: I've been thinking about getting an Android tablet to read sheet music. I'm a technically inclined person, but certainly not a security expert. Can anybody recommend one or more online guides for how to find out if a new device contains such egregious malware?
I recommend looking at the list of devices recommended by one of LineageOS (https://wiki.lineageos.org/devices/), /e/ (https://doc.e.foundation/devices), or PostmarketOS (assuming the application will run on plain Linux vs. Android) to see if they will work for you. The tablets they recommend are often older models so you will likely have to find these used/refurbished. It might be easier to get a detachable or 360-hinge PC laptop instead (e.g. MS Surface) if the weight/dimensions/application work better for you due to the high flexibility that PC OS-es offer compared to Android. Alternatively, a ChromeOS device, most of which can run Android apps, are a much better bet with long support, respectable vendors, and good flexibility.
Why not just get something from Samsung? That's a reputable brand and they have no incentive to add in stuff like this. This is a $50 Android box made my some no-name OEM tha sells on Amazon.
Better that it comes with malware you can remove, than a device that has been "secured" against you with unremovable malware under the guise of "security"...
I don't really care if there is malware running in my living room. Makes no difference to me if it runs there or at the north pole. It isn't exactly wasting much of my power or network with a tiny allwinner CPU and probably only 54Mbit WiFi.
And as long as this thing keeps steaming TV, I'm quite happy for it to be full of malware.
Or acts as a proxy allowing people to route all kinda of shit through (or into) your network...
A lot of those "residential proxy services" work by routing traffic through infected devices. The operators of them just buy "installs" (dirt cheap) from botnet operators, etc.
An infected device on the home network can also be staging for (automated) attacks against other shit on your network. Fun times.
Your windows machine likely have more lax permissions for the internal LAN. It's easier to try and install a keylogger, and steal your passwords on various sites, card numbers, etc.
This all gets bought and sold on black markets, and gets used weeks and months after being stolen. Spam sent covertly from your mail account, mystery charges on your CC, etc. Not pleasant. At the worst case, a full identity theft, then behold a $30k loan taken in your name, for you to repay with interest.
Using your accounts presumably - so at the very least this thing has access to your hulu/netfliux/hbo/disney+ account information... That alone should be enough to make one reconsider.
