Several users in our forums have reported that their Amazon Fire TV and Amazon Fire TV Stick devices have suddenly become very slow to use. This sudden slowdown coincides with the appearance of an app simply called “test” that keeps popping up randomly. Not only is the popup annoying, but it also causes video playback to stop and apps to stop responding, making it very difficult to continue using the device normally.
As it turns out, this “test” app is actually cryptocurrency malware that is infecting Amazon Fire TV and Fire TV Stick devices. The Test APK with the package name “com.google.time.timer” autostarts itself to execute a variation of the infamous ADB.Miner malware. Once a device is infected, the virus begins to use 100% of the device’s processing resources to mine Monero using CoinHive. To make matters worse, the malware spreads itself to other Android devices on the same network using ADB, making it difficult to deal with the situation.
Is my device infected?
Amazon Fire TV devices that are infected are slowed down drastically, with apps taking really long to load and all actions responding lazily. The Test app will also randomly pop up on the screen and make interaction with the UI difficult.
Simply checking for the Test application in the application list or in the application management settings doesn’t work as the app does not appear in these lists. Instead, use an app like Total Commander from the Amazon App Store to check. The Test app can appear even on devices that have not sideloaded any apps themselves, as the malware can spread itself to other devices over the network.
The exact source application of the malware is currently uncertain. However, it would not be far-fetched to pin the blame on sideloaded apps that aid in piracy of movies and TV shows.
If one of your devices is infected, there is a high chance that other Android devices (and not just Amazon Fire TV devices) on the same network are infected too. Before proceeding for cleanup, ensure that you disable ADB Debugging on all your devices, infected or otherwise.
The most effective solution is to factory reset the infected device, as well as all other devices on the same network. Factory reset can be found in system settings. It will erase everything on the device and start from scratch. Make sure to back up anything important before doing a factory reset.
Uninstall Modded Virus
This solution is not recommended because the extent of the virus and the modifications it does on your system are unknown. You should only consider this option if factory resetting your devices is absolutely not an option.
You can delete the virus files using the following ADB commands:
shell rm data/local/tmp/ufo.apk shell rm data/local/tmp/lock.txt shell rm data/local/tmp/smi shell rm data/local/tmp/endat shell rm data/local/tmp/nohup uninstall com.google.time.timer reboot
Install a modded virus
This solution is inferior to factory resetting your device and hence, not recommended. You can install a modified virus application, created by XDA Member innovaciones, which “turns off” the mining function of the virus. This is achieved by substituting the run.html file in the virus with a blank page that does not have a mining script. Other changes fool the virus into reporting success, while in effect, the virus will not be generating any revenue. You can then hide the application.
You can find the modified virus attached in this post in our forums.
To prevent a re-infection, be careful of the applications that you install on your devices, and turn off “ADB Debugging” when not in use. Even if your devices are not showing a sign of infection, it would be prudent to check for the existence of this app and to keep ADB Debugging disabled until you actually need it.
Source: Fire TV Forums Story Via: AFTV News