cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Your Android TV box may be spying on you

If you’ve bought yourself a cheap TV streaming box from Amazon recently, you may have inadvertently bought yourself a shiny, new piece of malware without even knowing it! A Canadian sysadmin and researcher recently discovered his T95 Android TV box came with a little more than he expected.

user icon David Hollingworth
Fri, 13 Jan 2023
Your Android TV box may be spying on you
expand image

The device — which is freely available on AliExpress as well as Amazon — seems fine on the surface, but dig a little deeper and things get a bit sketchy.

The T95 runs Android 10, but the ROM in question is signed with test keys and the Android Debug Bridge is — in the words of Daniel Milisic of IT outfit DesktopECHO “wide open over Ethernet and wi-fi — right out-of-the-box”.

Milisic ran the Pi-hole OS on the device and this uncovered a whole new realm of issues. After making some DNS changes, he found that the box was actively making contact with a host of well-used malware sites.


After failing to find a ROM that was suitably clean, Milisic tried removing the malware.

“I found layers on top of layers of malware using tcpflow and nethogs to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM,” Milisic says on a GitHub post detailing his experience.

Unfortunately, the final piece of the malware puzzle proved to be “deeply-baked into the ROM”. It operated like a version of the CopyCat malware, and it consistently injected itself into the sytemserver process.

Milisic was, however, able to get around the malware by changing the DNS of the command and control server it was reporting to.

There’s a full guide to getting around the device’s malware on the GitHub page, and Milisic is very keen to see if anyone else has a solution to removing the final bit of malicious code.

“Hopefully, a method can be found to completely disable the malware, for the time being this is as close as it gets,” he says.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.