T95 Allwinner H616 TV Box

[stevendeb25]

For owners of this device, have a look in this folder:

/data/data/com.swe.dgbluancher/files

Check to see if there's a folder named да -- If there is, your device is infected with malware. I'm investigating reports this is included in brand-new devices purchased online. If you're affected (or not) please reply here and let us know if you're on stock or flashed firmware.

Friend just bought one for me to setup for movies and tv

 

[DesktopECHO]

Ads sure, but not all the malware on the box.

You may want to check to see if this folder exists:

/data/data/com.swe.dgbluancher/files/да

Also run AVG, it will find malware (but not all of it)

 

[stevendeb25]

Ads sure, but not all the malware on the box.

You may want to check to see if this folder exists:

/data/data/com.swe.dgbluancher/files/да

Also run AVG, it will find malware (but not all of it)

Yeah it's got that folder/file after rechecking
ran AVG scan found one malware "intallapp"

 

[DesktopECHO]

Yeah it's got that folder/file after rechecking
ran AVG scan found one malware "intallapp"

Sadly that’s just the tip of the iceberg!

 

[stevendeb25]

Sadly that’s just the tip of the icebe

Had my t95 box for a few years now and not had any issues, but I don't enter bank details or login into things, if I do login into something it's a email I don't normally use

 

[ismael ulisses]

temho a t95 no aida mostra 1gb de ram e 8 de rom

 

[nicktyke]

I have this box. 4/64gb model. Doing ls from terminal in the dgbluancher/files folder shows no such subfolder. However, I'd now be keen to see what it is up to. I have an Ubuntu box on the same network which is easier to work with than the crappy t95. Any danger of a walkthrough of installing pi-hole on the Ubuntu box and configuring the t95 to use the Ubuntu box as DNS, please?

 

[DesktopECHO]

Can you check one more thing real quick? Do you have a folder named:

/data/system/Corejava

And the file:

/data/system/shared_prefs/open_preference.xml

If so, you are infected.

 

[DesktopECHO]

As far as installing Pi-hole on the T95 goes, it's very simple to get up and running. Then set the T95's DNS1 and DNS2 to 127.0.0.1 and you'll see exactly what the device is up to.

Pi-hole for Android Deployment

 

[nicktyke]

Can you check one more thing real quick? Do you have a folder named:

/data/system/Corejava

And the file:

/data/system/shared_prefs/open_preference.xml

If so, you are infected.

Both folder and file are present
Struggling for time this evening. Will have a look at pi-hole tomorrow. Ideally on the Linux box with a decent screen and a hardware keyboard and point the t95 DNS settings to it. If I can't fathom that, I'll install pi-hole on the t95 per your guide. Thanks

 

[DesktopECHO]

Both folder and file are present
Struggling for time this evening. Will have a look at pi-hole tomorrow. Ideally on the Linux box with a decent screen and a hardware keyboard and point the t95 DNS settings to it. If I can't fathom that, I'll install pi-hole on the t95 per your guide. Thanks

Help is on the way!

GitHub - DesktopECHO/T95-H616-Malware: "Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616)

"Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616) - GitHub - DesktopECHO/T95-H616-Malware: "Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616)

github.com

The script I posted to GitHub will effectively 'de-fang' the malware and clean-up your T95 as much as possible (for now, while a better solution can be found)

 

[nicktyke]

Right then. Set up pi-hole and there it is

 

[DesktopECHO]

You will also see these after you run the remediation script:

On top of that, it tries to use 8.8.8.8 if it doesn't like the answer it's getting from default DNS.

The cleanup script I put together will prevent Stage One from being downloaded, but it will NOT (at this time) stop pinging the C2 servers.

 

[PhyllisDillhole]

Bump.

Stage 1? Could you elaborate a little more? What would stage 2 do? I almost gave one of these away as a gift. Like you said, these can easily be obtained en masse from places like Alibaba and sell like hotcakes on Amazon and eBay (and it's not like the sellers on Amazon or eBay know- and perhaps not even the wholesalers) and most people just plug them in and connect all their devices, etc, without knowing anything about this or that there's a de-fanging script- etc.

I purchased these because of the processor, that I could flash Batocera or whatever to it or run it off of an sd card and use it for gaming and movies. Unfortunately, I did plug it in briefly before I found this post, One thing I did notice is that an air mouse I had that was working and in perfect working order stopped working. It still works on other machines.

I don't need it to be online for what I use it for, but I guess my main question is- given the current climate, should this be of a larger security concern?

I still have one in the packaging and I have said folders and files on the one I did use. Is this something that should be brought to broader attention? These are cool, functional, and cheap- thus people turn other people onto them and they buy them for friends and family, etc.

What's Stage 2? Pegasus? lol

 

[DesktopECHO]

Thorough write-up here: T95 H616 Malware
Reported online by BleepingComputer,PCMag and others

 

[nazgul67]

Anyone experienced distorted voice using Zoom Cloud Meeting app?
Any way of fixing this?

Device: T95 4gb ram
Firmware: X19

 

[GarM35]

Hi! I have 2 tv boxes Allwinner t95 max with android 9 (2.1.21) and they were working perfectly. From last month or so both have started to do the same thing: playing videos (either streaming or from hard drive) suddenly the image and sound freeze a couple of seconds (making a very annoying noise), and sometimes the image freezes but the sound continues until it all fades to black and then continues synchronized. I have restored one of them to factory defaults and it keeps doing it. Do you have any idea what could have happened and how to fix it? Thank you very much!

 

[spinnersp]

I have the 4/64 ver. Opened box to confirm.I cannot for the life of me get this detected with adb or even pheniox tool. Any help on drivers(which i believe pheniox tool installed. I can here windows sound when connecting. i can sometimes get this error in adb "
adb server version (39) doesn't match this client (41); killing...
* daemon started successfully" Sometimes the client and server numbers sre different.

 

[theslydog]

I had an unused T95 and I just fired it up and sure enough it was infected.
So I hunted for some firmware and the only firmware (out of many) that would install with PhoenixSuit was T95-H616-X29.img
It says Build 10.1.X29-0621

Has anyone had a look to see if this img is infected like that of the firmware that the box comes with?

I can see
/data/system/Corejava
but not
/data/system/shared_prefs/open_preference.xml

the 'files' folder here is also not present
/data/data/com.swe.dgbluancher/files/да

 

[spinnersp]

I hunted around for firmware for this box 4/64 dual wifi. Tried many different H616 files,couldnt get any to work unless they were T95 specific.Then I found "Vontar-X1-A29-1105",boots up with the Vontar logo. Once booted up looks just like the T95 and same as theslydog
I can see
/data/system/Corejava
but not
/data/system/shared_prefs/open_preference.xml
the 'files' folder here is also not present
/data/data/com.swe.dgbluancher/files/да