During a recent cybersecurity audit for a customer, we uncovered a serious security risk: an Android TV box was found to contain malware. This device was continuously attempting to connect to a Command & Control (C2) server, aiming to install a backdoor into the network.
Through the C2 server, cybercriminals could infiltrate the network, steal data, or even deploy ransomware—bypassing traditional security measures entirely.
Essentially, this is like a phishing attack but executed remotely, without any human intervention.
How Did It Start?
During a routine security assessment for a customer who had not yet subscribed to our 24/7 Managed Cybersecurity Monitoring Service (SOC), we detected an unusually high number of botnet alerts originating from a single device on their network.
Our Cybersecurity Competence Center (CCC) quickly traced the alerts to a TV box, a fact confirmed by the client.
Further analysis revealed that many of these devices come pre-installed with malware. In this case, it was a variant of CopyCat, malware capable of gaining root privileges and executing commands remotely.
What Did We Discover?
Our investigation across multiple sources (*) showed that the infected TV was trying to connect to a known malicious C2 domain: ycxrl[.]com. The following devices have been associated with malware using this domain:
- T95 (AllWinner H616)
- T95Max (AllWinner H618)
- X12-Plus (RockChip 3328)
- X88-Pro-10 (RockChip 3328)
Beyond C2 communications, we identified specific Indicators of Compromise (IOCs) that signal the presence of this malware:
- A directory called /data/system/Corejava
- A file named /data/system/shared_prefs/open_preference.xml
While our system successfully blocked the C2 connections, it's critical to understand that this malware is also capable of exfiltrating data and executing remote commands, making it a severe security threat.
Why Should You Care?
This case highlights the risks IoT devices pose to corporate networks. Smart devices can introduce serious security vulnerabilities. In this instance, the AXS Guard DNS Security feature detected and neutralized the threat early. Without proper protection, cybercriminals could have stolen sensitive corporate data or leveraged the network as a launchpad for further attacks.
How to Protect Your Network
To safeguard your organization from threats like these, follow these key security measures:
- Use DNS Security: Ensure suspicious DNS requests are monitored and blocked.
- Audit All Connected Devices: Regularly check which devices have access to your network and confirm they are trustworthy.
- Invest in 24/7 Cybersecurity Monitoring: Our managed security service Observe & Protect can detect and mitigate threats in real time.
- Avoid Cheap, Unverified Devices: Devices lacking proper certification or manufacturer support pose significant security risks.
Final Thoughts
This case highlights a growing cybersecurity threat: cheap IoT devices like Smart TVs, digital photo frames, or even smart home gadgets can serve as backdoors for cybercriminals. Being proactive is essential to securing your business network.
» Get in touch with our team today for a free, no-obligation consultation.
Your Smart TV Could Be a Security Risk