Pre-installed C2 Infrastructure and RAT Payload on Android Projectors Technical Analysis Report — Security Research Affected Devices: Multiple Android projectors of the brands Hotack, Huyukang, Magcubic, Nonete (e.g., Model HY260Pro) Chipset Platform: Allwinner H713 / sun50iw12p1 — potentially affects all devices on this platform Analysis Period: April 11–12, 2026 Classification: Pre-installed Command-and-Control infrastructure with Remote Access Trojan payload TL;DR The Problem: Numerous cheap Android projectors (brands like Magcubic, Hotack, etc., utilizing the Allwinner H713 chip), currently sold in massive quantities on Amazon, eBay, and AliExpress, are infected with malware straight from the factory (Supply Chain Attack, similar to the "BADBOX" cases). The Mechanism: A seemingly harmless system app ("StoreOS") acts as a disguised dropper . It completely silently downloads a Remote Access Trojan (RAT) named "SilentSDK" in the background and installs it with maximum system privileges. The Danger: The malware establishes a persistent C2 connection to China ( api.pixelpioneerss.com ), extracts sensitive device IDs, and can download and execute arbitrary additional malicious code with root privileges at any time ( chmod 777 ). Additionally, the devices feature open root backdoors. Immediate Mitigation: The C2 domains (especially *.aodintech.com and api.pixelpioneerss.com ) must be blocked at the network level. Affected users can only disable the malicious apps manually via ADB, as they are deeply embedded in the system. Urgency Notice The malware infrastructure documented in this report is pre-installed on Android projectors currently being sold in large quantities to end consumers on Amazon, eBay, and AliExpress. The affected devices span multiple brand names (Hotack, Huyukang, Magcubic, Nonete, among others) but share the same OEM platform from the company 蓝鲨 (Blue Shark, Shenzhen). Identical C2 infrastructure has been independently confirmed on other devices from the same manufacturer (see Section 13). The pattern matches the BADBOX cases. At the time of analysis, the C2 servers were active and delivering a payload verified as a RAT to all devices worldwide ( zone: "Global" ). Table of Contents Device Identification Investigation Workflow Root Access — Exploit Path C2 Server Response — Core Evidence Malware Ecosystem Overview StoreOS — Dropper Analysis (com.htc.storeos) SilentSDK — RAT Analysis (com.hotack.silentsdk) EventUploadService — Telemetry (com.htc.eventuploadservice) ExpandSDK — Ad-Injection (com.htc.expandsdk) System Backdoors Network Forensics Device Spoofing (Build-Fingerprint Spoofing) External Confirmation Indicators of Compromise (IOCs) MITRE ATT&CK Mapping Immediate Mitigations Sources Purchased Device: Amazon Link - Nonete Mini Beamer 4K 1080P 1. Device Identification Property Value Brand Name Hotack / Huyukang / Magcubic HY260Pro Internal Model Name NT10 SoC Allwinner sun50iw12p1 (ARM 32-bit) Operating System SpectraOS (Android 11, Kernel 5.4.99) Real Build Fingerprint Allwinner/h713_tuna_p3/h713-tuna_p3:11 Spoofed Build Fingerprint ADT-3/adt3/adt3:11/RP1A.201005.006 SELinux Permissive (no enforcement) Platform Signing Key Public AOSP Test Key OEM Certificate CN=蓝鲨, OU= www.bsh.me , C=CN Firmware Channel HY260Pro_SpectraOS_TPYB Note on scope: The Allwinner H713 chipset is built into numerous cheap Android projectors sold under changing brand names in the European market. The identical firmware base ( h713_tuna_p3 ) and identical C2 operator (Shenzhen Aodin Technology) strongly suggest that all devices from this OEM contain the same infrastructure. 2. Investigation Workflow Step Action Result 1 Wireshark capture of network traffic HTTP traffic to store-api.aodintech.com 2 Decoding of the gzip-compressed C2 response 7 apps, including hidden "SilentTools" 3 AES-CBC decryption of the download path Key 6c4928fb40e31789 , URL to .bpp file 4 Root exploit via /oem/customer.prop uid=0(root) after property injection 5 Forensic dump of /data , /oem , /system APKs, databases, configurations 6 Static analysis of StoreOS DEX pm install -r , byte-reversal protection 7 Reverse engineering the reverseLen mechanism Understanding of the anti-analysis protection 8 Breaking the byte-reversal protection Decrypted, analyzable SilentSDK DEX 9 XOR decryption of SilentSDK strings C2 domain api.pixelpioneerss.com confirmed 10 Hash verification across three sources MD5/SHA-256 match perfectly 3. Root Access — Exploit Path Root access was achieved through a combination of three vulnerabilities: SELinux Permissive — Access violations are only logged, not blocked. World-writable /oem — The partition is mounted as FAT with fmask=0000 . customer.prop loaded at boot — Overwrites system properties. adb shell getenforce # Result: Permissive adb shell ls -la /oem/ # All files world-writable adb shell ' echo "ro.debuggable=1" >> /oem/customer.prop ' adb shell ' echo "service.adb.root=1" >> /oem/customer.prop ' adb shell ' e...