An Android virus, specifically a malware worm variant, has been spreading across Android devices and has started appearing on Amazon Fire TVs and Fire TV Sticks. The worm is not specifically targeting Fire TV devices, but they are vulnerable because of their Android-based operating system. A thread on the XDA forums contains multiple Fire TV owners whose streaming media players have been infected by the malware. Here is everything you need to know about the virus, including what it does, how it spreads, how to know if your devices are infected, how to prevent getting it, and how to remove it if your device is infected.
About the Malware
The worm appears to be a version of a piece of Android malware called ADB.Miner that was first discovered earlier this year and has been spreading. The particular version appearing on Fire TV devices installs itself as an app called “Test” with the package name “com.google.time.timer”. Once it infects an Android device, it begins to use the device’s resources to mine cryptocurrencies and attempts to spread itself to other Android devices on the same network.
How it spreads
The malware appears to be getting installed by apps that are being sideloaded onto Fire TV devices. It is unknown which specific apps include the malware, but it seems that apps created for the purpose of watching pirated movies or TV shows are likely how the malware infects its first device. Once an initial device is infected, the malware can spread itself to other devices over ADB, even if those other devices never had apps sideloaded.
Symptoms of an infected device
Infected devices will become very slow to use. Loading apps will take longer than usual. This is because the malware is using 100% of the device’s processor to mine cryptocurrency. A screen that says “Test” with a green Android robot icon will also occasionally appear randomly on infected devices. This screen causes video playback and apps to abruptly stop, making the device difficult to use normally.
How to know if your device is infected
The simplest way to know if your device is infected is to see if you have an app named “Test” installed. If the app is present, it DOES NOT appear in the Fire TV’s regular app sections or in the Fire TV’s application management settings. You’ll need to use an app like Total Commander to check for the “Test” app.
- Install Total Commander from the Amazon appstore onto your Fire TV device.
- Launch Total Commander and select the “Installed Apps” menu item.
- If you see an app called “Test” installed on your device, then your device is infected.
How to prevent getting infected
To make it impossible for your Fire TV device to become infected by this malware, go to your Fire TV device’s Settings and select the “Device” menu item. Then select “Developer options” and ensure that “ADB debugging” and “Apps from Unknown Sources” are both set to “OFF”. These settings are off by default, so if you’ve never changed them, then you have always been safe from this malware.
There are good reasons for enabling either or both of these options, such as if you’re an app developer or if you want to sideload trusted apps. To keep your device safe, it is important to know how each of these two developer options makes your device vulnerable.
The “ADB debugging” option makes it possible for other devices on your network to remotely install apps onto your Fire TV device. This app installation process is done silently and does not produce any kind of prompt or approval request on the Fire TV itself. The only indication that the new app has been installed is a message that appears in the lower right corner of the Fire TV. This message disappears after a few seconds. The malware uses this ADB installation method to spread itself from infected devices to uninfected devices.
Newer Fire TV devices running Fire OS 6, which include the Fire TV 3 (pendant), Fire TV Cube, and 2nd-Gen Fire TV Edition televisions, have implemented an extra layer of protection for ADB connections. When a new device tries to connect to a Fire TV running Fire OS 6 for the first time, a prompt appears on the screen to approve the connection. If you ever see this prompt and you yourself did not initiate the connection, DO NOT allow the connection.
Older Fire TV devices running Fire OS 5, which include the Fire TV 1, Fire TV 2, Fire TV Stick 1, Fire TV Stick 2, and 1st-Gen Fire TV Edition televisions, do not ask for approval when a device connects via ADB. This is an oversight with all Android devices from this era, not just Amazon Fire TVs. It is for this reason why it is recommended to never leave ADB debugging on all the time. Only turn it on when you need it and turn it off immediately after you’re done using it.
If you’re not an app developer, you likely never need to enable ADB debugging. It is NOT necessary to enable ADB debugging if you are sideloading apps using my Downloader app. Sideloading utilities that run on a computer or mobile phone do require enabling ADB debugging on the Fire TV to successfully sideload, but, for this reason, it is safer to sideload using an app like Downloader.
The “Apps from Unknown Sources” option makes it possible for apps that are already installed on your Fire TV to install other apps. This option needs to be enabled if you are sideloading apps using my Downloader app. This method is safer than the ADB debugging method because apps cannot be installed silently through the Unknown Sources option. Any app that tries to get installed through this setting will display a full-screen message asking for you to approve the app that is trying to be installed.
If you ever see a request, like the one above, for an app to be installed that you yourself did not initiate, always select cancel. If you are sideloading an app and approve the installation and then see a second request for approval, you should cancel the request because the app you just installed is likely trying to install another app without you noticing. If you are sideloading apps onto your Fire TV device, always ensure that you trust the source of the app. Always try to download APK files directly from the app developer and not from third-party sources.
How to remove the Malware
Method 1: Factory Reset (Recommended)
Since the extent of the changes that the malware makes to the device are unknown, it is recommended to reset all changes by performing a factory reset. Before doing so, you should power off all Fire TV and Android devices that could be infected, so that your devices do not get re-infected after the factory reset. Putting the devices to sleep is NOT enough. You must unplug their power.
Once all devices but one are off, go to the Settings menu on the Fire TV you want to factory reset, select the “Device” menu item, and select the “Reset to Factory Defaults” option. If your device is rooted, follow these factory resetting instructions instead. Rooted devices should also have their pre-rooted ROM reinstalled. After the device has been reset to factory defaults, DO NOT turn on ADB debugging until after all devices have also been reset to factory defaults or you risk re-infecting your reset devices.
Remember, it is much safer to only turn on the “Apps from Unknown Sources” option and use my Downloader app for sideloading if you need to sideload apps after your device has been reset. Sideloading through the Downloader app does not require enabling ADB debugging.
It is also important to realize that an app of questionable origin that you sideloaded before is likely how your devices were infected in the first place. Be careful what you sideload and question the origin of all APKs you download.
Method 2: Uninstall the Malware
If you dread the idea of factory resetting your device and having to re-install all of your apps and start over, then you can try uninstalling the malware. This option is not recommended because it is unknown what other changes the malware has made to your device.
Before uninstalling the malware, you should power off all Fire TV and Android devices that could be infected, so that your devices do not get re-infected. Putting the devices to sleep is NOT enough. You must unplug their power.
Once all devices but one are off, go to the Settings menu on the Fire TV and select the “Device” menu item, and select “Developer options.” Make sure that “ADB debugging” and “Apps from Unknown Sources” are both OFF. Next, install the app Total Commander from the Amazon appstore. Launch Total Commander and select the “Installed Apps” menu item. Then select the “Test” app from the list and select “Uninstall” twice. Now power off the device and do the same for all other infected devices.
If you must turn on ADB debugging, only do so after all devices have been cleaned of the malware. Remember, it is much safer to only turn on the “Apps from Unknown Sources” option and use my Downloader app for sideloading if you need to sideload apps. Sideloading through the Downloader app does not require enabling ADB debugging.
It is also important to realize that an app of questionable origin that you sideloaded before is likely how your devices were infected in the first place. Be careful what you sideload and question the origin of all APKs you download.
Method 3: Install Modified Malware
If you do not want to factory reset your device and/or the malware keeps reappearing because your Fire TV keeps getting reinfected, you can try installing a modified version of the malware that doesn’t actually mine cryptocurrency. An XDA user by the name of innovaciones created this modified version of the malware. When installed, it updates the existing malware to a version that essentially turns off the miner. Obviously, it’s best to remove the malware entirely, but several people have reported that this modified version fixed their issues when they were unable to remove the malware entirely.
You can get the modified APK from this XDA post or from the short URL http://bit.ly/testappfix. The easiest way to install the modded malware is to use my Downloader app and enter
If you must turn on ADB debugging, only do so after all devices have the modded malware installed. Remember, it is much safer to only turn on the “Apps from Unknown Sources” option and use my Downloader app for sideloading if you need to sideload apps. Sideloading through the Downloader app does not require enabling ADB debugging.
It is also important to realize that an app of questionable origin that you sideloaded before is likely how your devices were infected in the first place. Be careful what you sideload and question the origin of all APKs you download.
Is any antivirus for android detecting the miner?
For those of us that can adb into the device, in what directory would we look for what file? Shouldn’t we be able to safely eliminate it that way?
You can uninstall it by running the ADB command:
But remeber to turn off all other devices first, if you have others, so you don’t get re-infected before turning off ADB debugging.
There are also supposed to be some files in the /data/local/tmp/ directory. I assume, since it’s a temp directory, it’s safe to wipe everything in there, but I’m not sure. If you want to do that at your own risk, you would run the command:
Since we don’t know what the virus does beyond running a miner, it’s still best to factory reset, even if you’re comfortable with ADB.
See here for an analysis of the original version of this virus. It did a lot more than simply install a single mining APK. So not sure if this “Test” / “.Timer” version has more to it.
https://paper.tuisec.win/detail/60da76bc9c1b5cb
So my /sdcard/Android/data only contains:
com.amazon.avod
com.amazon.bueller.music
com.amazon.device.software.ota
com.amazon.securitysyncclient
com.amazon.tv.launcher
com.amazon.venezia
com.firsthash.smartyoutubetv2
com.semperpax.spmc16
with an uninstallation of com.madfingergames.shadowgun_amz.
As I understand the problem, I’m clear, right? Does it hide somewhere else?
I’m not completely averse to a factory reset, but, jeez, its a bit of a hassle right now…
That directory holds data for some apps and is not an indicator of what apps you have installed.
If you want to see what apps are installed via an ADB command, run:
If you see com.google.time.timer on the list, then the device is infected.
Ooook… so how would this get on my phone from my firestick!!?? Do I type the adb shell pm list packages -f in my phone browser or is this just for my fire stick? I did have the allow USB debugging message on my TV but I did not allow.
Wish I thought of this haha
Good timely article.
I wonder what Kodi addon caused this…
Rather seems like an attempt to get users to only use the Amazon app store.
Thank you for this advice. My device is not infected, thank goodness. But I had to turn my ADB debugging off and I had to turn off the apps from unknown sources off. I didn’t know they were on until I read this article.
A malicious piece of software can be easily made and infect devices…. but root cant be done, “because no exploit exsists” get out of here. give us root support again.
If you’re FireTV is rooted and you need to remove the worm but have decided to skip the Factory Reset, then it’s probably best, after the other cleanup steps, to reinstall your pre-rooted ROM (or install a newer ROM version if you prefer). Installing a pre-rooted ROM does not wipe the device, so your apps and configuration should remain.
The recommendation to reinstall follows from information provided in ADB Miner paper at https://paper.tuisec.win/detail/60da76bc9c1b5cb, which says:
If /system/bin/debuggerd exists, replace with the released debuggerd script;
This file does in fact exist on my FireTV (the other 2 files listed in the paper did not exist when I checked). I expect a reinstall will fix this, and maybe other nasties left by the worm.
Great advice. I’ve updated the article with instructions for factory resetting a rooted device and re-installing the ROM.
So…. /system/bin/debuggerd appears in the task manager list on my Chromebook. A fresh usb restore image was created through Chrome on a different computer. I installed the fresh image once all other devices were off the network. If I skip the Play Store portion of the install, /system/bin/debuggerd does not appear in the task manager. Once the Play Store goes through its setup process (and before any stock apps update), debuggerd appears in the task manager. I guess I don’t understand why (under these conditions) this would indicate ADB Miner activity, reinfection, etc?
Axe,
Seeing debuggerd in the task manager doesn’t have to mean you’re infected. Android includes a tool called debuggerd that generates crash dumps (diagnostic information when a program crashes). The worm replaces it with a version that, apparently, causes trouble. So just seeing debuggerd in a task list doesn’t mean you are infected. You say you installed a fresh image, that should clean everything out.
You could always check how busy the CPU is using Chromebook Task Manager (Google it if you need to). If ADB Miner is active on your system, the CPU usage should high even when you’re not running anything.
Good Luck,
Jim
P.S. Note: I only know what I read in the linked paper. Plus Google provided more information about debuggerd:
https://kobablog.wordpress.com/2011/05/12/debuggerd-of-android/
https://android.googlesource.com/platform/system/core.git/+/android-4.2.2_r1/debuggerd/debuggerd.c
I was totally unaware of this. Many thanks for your detailed information which was most helpful.
What about apps that regularly have a new/updated version available for download, Terrarium for example. Will “Apps from unknown sources” have to be switched back on for that?
Yes, anytime an app wants to install an APK, you’ll need to turn on “Apps from Unknown Sources” for the installation to succeed. You can leave it on all the time as long as you and others in your household aren’t the type to just accept a random install request without investigating what is asking to be installed. Leaving “ADB debugging” on all the time leaves your device much more vulnerable because that option allows for countless silent changes to occur in the background without any on-screen indication. As mentioned in the article, the “Apps from Unknown Sources” option will always display a full-screen message when an app tries to install another app and the only thing that that option allows is the installation of apps.
Thanks Elias
Hi guys. I had this “Test” malware, but now I have recovered.
Let me share with you my chat transcript from Amazon on May 22, 2018.
11:48 PM PDT Spencer Cole: Hi there
11:49 PM PDT Selva (Amazon): Hello, my name is Selva. I’m here to help you today.
11:49 PM PDT Spencer Cole: I own a 2nd generation Fire TV Stick and a 3rd generation Fire TV. Concerning my Fire TV Stick, two months now an app called “Test” keeps popping up at all times, disrupting anything that I am watching at any moment. The “Test” app just has a white screen and in the top left corner has a green android bot and the word test. Could I have your help as to how to overcome this problem?
11:50 PM PDT Selva: No issues, Spencer. I will certainly help you with this.
11:50 PM PDT Spencer Cole: My Fire TV (3rd gen) does not have this issue.
11:51 PM PDT Selva: I am checking this for you.
11:52 PM PDT Selva: May I know the current country which you are living?
11:54 PM PDT Spencer Cole: I’m in UK right now
11:55 PM PDT Selva: Okay Spencer. Thanks for confirming. Just a moment please.
11:58 PM PDT Selva: I’ve updated the settings successfully. Please unplug the device and plug it again.
11:59 PM PDT Spencer Cole: Just a sec please.
11:59 PM PDT Selva: Sure Spencer.
12:03 AM PDT Spencer Cole: OK. Done. What am I supposed to expect now?
12:05 AM PDT Selva: Great! Please check now whether the “Test” app opening or not.
12:12 AM PDT Spencer Cole: It seems it got fixed, but I’m not sure whether it’ll be permanent. Let me experiment a little and come back if it returns.
12:13 AM PDT Selva: Great to hear!
12:14 AM PDT Selva: It might be happened due to some intermediate issue. If the issue still persists, please try to reset your device.
Does turning off ADB debugging cause the Mouse Toggle to stop working?
I believe so, also definitely Fire Starter if you use it.
I was hoping to hear there was a fix for turning ADB debugging off to use the mouse toggle. I haven’t seen one. I see Mouse Toggle has been updated for the New Fire TV Cube, but it does not seem to fix this issue. My Mouse Toggle has been off sinc this news and its frustrating. I may just try a Bluetooth keyboard, but wish they would do something to stop this worm so I can go back to the Mouse Toggle. I wish the developer when he came out with the new updated Mouse Toggle could have done something.
What about KODI add-on updates?
I believe auto update add-ons is set to “ON” by default.
Mine is set to “OFF” but Notify when updates are available.
Some folks might not know to check these settings.
Kodi add-ons are not APKs so they do not need either “ADB debugging” or “Apps from Unknown Sources” turned on to download updates and install.
Thanks Elias, yes of course. I guess I was questioning whether this worm ONLY comes in the form of this APK? There have been cases of malicious scripts getting through Kodi including through the downloading of subtitles, Kodi CAN be an open backdoor if left unchecked.
I was thinking the same, some Kodi builds have adding/lists of APKs to install so I know sideloading can be done in Kodi. Question is whether or not some unscrupulous addon/build developer is including infected APKs in their distro.
I’m pretty sure the permission has to granted within Kodi itself for 3rd party apps.
https://www.makeuseof.com/tag/kodi-repos-uninstall-avoid/
That should give you a clear idea of what repositories to avoid which ultimately produce those said add-on’s.
I’m lost as to why the user has to jump through these hoops. Why can’t an update from the manufacturer address this, especially since it’s been fixed in newer devices. Seems there’s a plug for the user to upgrade.
It’s called the Hero Syndrome. It’s a real thing and it can manifest itself in people, Fortune 500 companies, and even government.
Don’t forget your tablets. I’ve got a couple of the 7″ ones that I use exclusively as Harmony remotes, not sure why but both had ADB debugging turned on, even though I don’t think it was necessary to install Google Play Store or the Logitech app. Thanks for the heads up Elias. Interesting how the vast majority of articles a Google search returns reference AFTV News as their source!
Does this virus infect fire tablets as well? Also, appstarter has a feature to show all hidden files. Does this suffice or do I still need to use total commander to see it?
Almost seems to be a scare tactic in an attempt to ween people away from sideloading/using apps that promote piracy, Ijs
Or to install this “Total commander” and get some easy downloads from people and therefore more ad revenue.
Hi,
you can scan your TV with ESET Smart TV Security https://play.google.com/store/apps/details?id=com.eset.etvs.gp
If you have a licences for ESET Mobile Security for Android or an ESET Multi Device License, you can also use it on ESET Smart TV Secuirty.
This anti virus app, scans also USB connected devices, apps and downloads.
Yep, my fire TV had the test app installed. I say this on a push notification and just blew it off. So what app particularly is behind this? Terrarium, TvTap (formally uktvnow), Mobdro or swift streamz. Almost positive it was via the terrarium or unktvnow. I don’t see where it made it to my fire tablet, but it could’ve reached my phone and galaxy tablet as both would’ve been vulnerable. dang who who knows what they were able to grab from me. Can they also reach and infect PC’s?
Well from Reddit threads and other boards I’m reading, Mobdro seems to be coming up a lot as a prime suspect.
I saw this on a 1st Gen. FireStick 3 weeks ago, green logo and all! The stick was acting funny so I did a factory reset. Total Commander here I come. Thanks for the heads up!
ok so, does this affect all android devices on the same network with USB debugging and unknown apps enabled. or this primarily fire tvs and fire tablets? My Samsung tablet and phone have marshmallow installed
Reposting this comment from Engadget:
On top of that, the likelihood of this happening on an Android phone is close to 0. The most “vulnerable” aspect of this attack has been fixed in “Google” Android devices for years. The rest of the devices disable ADB over the network as soon as you reboot. So the worm aspect is practically non-existant.
Can someone here explain this, seems this might stop alot of the spreading over network
There are two ways to connect to an Android device via ADB: through a USB cable or through the network. This virus can only spread via a network ADB connection. Most Android devices are configured, by default, to only accept ADB connections via a USB cable. You have to manually switch the device to use ADB via the network if that’s how you want to connect to it. This is because it’s much easier to just plug an Android phone into a PC using a USB cable and use ADB that way, instead of figuring out IPs and dealing with port forwarding. Most Android developers prefer using a USB cable, so that is the default setting on most Android devices.
This is the “fix” that the commenter is referring to. By keeping network ADB disabled by default, even when ADB debugging is enabled, the device is safer because there is one less way for a connection to be made.
ADB over a USB cable is not available on all Fire TV devices. This is because not all Fire TV models have a way to be connected to a PC through a USB cable. A USB cable is also inconvinent because it means your TV and PC have to be physically next to each other. That is why, when you enable ADB debugging on a Fire TV device, it allows network ADB connections immediatly. If it didn’t do this, then all Fire TV developers would have to first somehow connect their Fire TVs to a PC in order to enable the much more convineint ADB netowrok connection.
Hearing reports of a lot of Fire TV Sticks deregistering could this be related?
Had a stick deregistered on me last night, but no “test” file in the stick???
It appears to be related to the update Amazon is pushing out,for whatever reason some devices deregister after the update is installed none to my knowledge have had the Test Malware but all had been updated.
People, if you have doubts then install Norton for Android and scan the device and then disable apps from unknown.
Any updates on the app behind this?
I haven’t been able to track down how an initial device is being infected. I’ve installed a bunch of shady seeming APKs of piracy apps and haven’t been able to get a device infected. I’m starting to think that Amazon has quietly done something to block the virus on Fire TVs.
I still have the apks installed, I could rip them and send them. But this was likely all pushed with an update via a server. Also worth noting uktvnow changed their name recently, although I don’t know why. The devs might be totally innocent here, I’m leaning towards a modified app uploaded to another popular 3rd party site.
Just sent you an email.
I just tried the url http://bit.ly/testappfix it reads Error not found