9

Owner of an Android TV box? May want to check if it's an active botnet member...

 1 year ago
source link: https://forum.xda-developers.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/page-2#post-88918241
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Owner of an Android TV box? May want to check if it's an active botnet member...

Rickkins

Senior Member

Xiaomi maybe not so much, but these vendors on Amazon operating with names like BLAÜMTRON could be up to anything apparently.

If other T95 owners can check their devices for DNS traffic to ycxrl.com it'd be a huge help to determine the extent of this problem.

I would love to check for this, what do I need..??

Traace

Senior Member
So, I just bought a H96 MAX with RK3528 CPU, 4G+64GB Storage and Android 13 and was curious if these are infected, too.

This is a list how I tested the device:
  • Connected the Device to a empty and isolated vLAN
  • Did a Network Package analysis for traffic coming from that vLAN, no suspicious traffic detected
  • Scanned the device with a forensics tool called MVT. Root Binary "su" together with "busybox" detected. Means the device is rooted. None Malware / Virus detected.
  • Dumped all user apks and uploaded them to VirusTotal. No detections, everything is clean.
  • Gained root access via su binary, dumped all system apks and uploaded them to VirusTotal. 2 minor detections, analyzed the behavior of these deeper, false positive in my opinion. Everything else is clean.
  • Checked if known malware / virus folder /data/system/Corejava or file /data/system/shared_prefs/open_preference.xml exists in filesystem. They do not exits.
  • ADB has no confirmation, if enabled in Android Settings, every device can connect
  • SU has no confirmation nor any notification on screen
Conclusion:
  • The Device looks clean, beside 2 minor false positives there was no suspicious activity or malware / virus detected.
  • The Device is rooted by default with su. This is dangerous because any app can request root and the user wouldn't notice. I recommend to replace the binary with some solution that gives feedback to the user.
  • Anyone in the same network can connect to the device via ADB without any confirmation. Keep that in mind and may disable ADB if not needed.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK