The Dragon Touch KidzPad Y88X 10 tablet on Amazon, analyzed by EFF researchers, also comes with preinstalled riskware and an outdated parental control app called KIDOZ.
Retailers like Amazon have played a significant role in popularizing low-cost Android devices for children. However, based on research conducted by the Electronic Frontier Foundation (EFF) on such devices, there is a possibility that they may contain malware.
EFF’s researchers examined the Dragon Touch KidzPad Y88X 10 tablet from Amazon and discovered not only malware but also preinstalled riskware, along with an outdated parental control app called KIDOZ. Following the EFF’s investigations, Amazon removed the product from the platform. However, other Y88X models are still being sold on the site.
It is worth noting here that Amazon devices frequently face criticism due to the presence of preinstalled malware. In January 2023, the company gained attention for selling a T95 Android TV box that harboured sophisticated, persistent, and preinstalled malware embedded in its firmware.
Despite awareness of the issue, Amazon continued to sell these compromised devices until February 2023. In both instances, the devices were also infected by the same Corejava malware.
The Android Open Source Project (AOSP) is Google’s open-sourced Android operating system. Consequently, most Android devices available for purchase come equipped with AOSP, featuring multiple customization layers, commonly referred to as AOSP’s ‘skinned’ version.
In addition to beneficial features, these customized versions can facilitate the inclusion of undesired apps or bloatware. For instance, in 2019, Samsung pre-installed the Facebook app on its phones, allowing users only the option to disable it; however, it was later revealed to be a placeholder app. Nevertheless, in more malicious instances, customized versions can come with preinstalled malware.
That is precisely the case with the Dragon Touch Tablet. Researchers discovered that it harboured the notorious Corejava malware, as evidenced by the presence of directories such as “/data/system/Corejava” and “/data/system/Corejava/node” in the tablet’s firmware. These directories indicated the active presence of Corejava on the device. Another red flag was the inclusion of links to other manufacturers and unusual requests originating from the tablet.
Researchers initially powered on the tablet after the C2 servers of Corejava were taken down to prevent any attempts to download malicious payloads. However, the absence of any noticeable activity suggested a residual remnant of the malware, resembling a ‘copied homework,’ possibly a result of hurried production or left for potential future activities.
Moreover, this tablet was preloaded with Adups, which serve as “firmware over the air” (FOTA) update software and is also found on Android TV boxes. It was incorporated into the system under the name “Wireless Update.”
Adups is classified as malware, although there are supposedly “clean versions,” and one such version was present on this tablet. Adups comes preinstalled with the Dragon Touch OEM, and even after a factory reset, the application reappears, making it impossible to uninstall or disable.
Researchers also noted a significant correlation between Android TV box sellers and the Dragon Touch tablet. The group had registered multiple brands and shared an address with the tablet on Walmart. This led to the conclusion that all devices associated with this seller should undergo thorough scrutiny.
The Dragon Touch tablet is equipped with an outdated KIDOZ app that is apparently adware. Despite being COPPA Certified, this app functions as a mini operating system. Notably, its referrer, Tablet Express, is no longer operational.
This suggests that Dragon Touch has repurposed an old version of the app, which continues to collect and send data to Kidoz.net. The information includes details such as device model, brand, country, screen size, timezone, click events, view events, logtime of events, and the unique KID ID.
Furthermore, researchers discovered that the app Kids Paint FREE transmits precise GPS coordinates to an ad server, even though the server itself does not exist. This raises concerns about the privacy and security implications of the tablet’s preinstalled applications.
“This leakage of device-specific information over primarily HTTP (insecure) web requests can be targeted by bad actors who want to siphon information either on the device or by obtaining these defunct domains,” EFF blog post read.
Despite Amazon’s efforts to combat fake reviews, the marketplace giant needs to do more to address the escalating cybersecurity concerns, particularly when the targets are vulnerable children.