The $35 Projector: Uncovering a Manufacturer-Backed Malware Pipeline

The allure of a $35 projector promising 4K support and 8000 lumens is strong, but as one security researcher discovered, the real cost is often hidden in the firmware. What begins as a suspicious DNS query in a Pi-hole log can unravel into a sophisticated, manufacturer-backed operation that transforms consumer electronics into a global network of residential proxies.

This investigation highlights a chilling trend in the IoT supply chain: the transition from simple adware to full-scale Remote Access Trojans (RATs) baked into devices at the factory level.

The First Red Flags

Upon connecting a Magcubic HY300 Pro+ projector to Wi-Fi, the device immediately began "phoning home" to several suspicious domains, including o.fecebbbk.xyz and usmyip.kkoip.com, despite no apps being opened or browsers launched.

Initial investigation using adb and jadx revealed a series of pre-installed packages using the com.htc. namespace—a blatant disguise for a device manufactured by Hotack. After rooting the device and disabling five suspicious packages (including com.hotack.silentsdk and com.htc.eventuploadservice), the malicious DNS traffic ceased, confirming these apps as the culprits.

Accelerating Analysis with Claude Code

Reverse engineering obfuscated Android APKs is traditionally a grueling process of tracing reflection chains and decrypting strings by hand. To speed this up, the researcher employed Claude Code, an AI agent capable of interacting with the CLI and writing code.

By providing the agent with the decompiled source and a clear mission, the AI autonomously performed several critical tasks:

1. Automated Decryption: The malware used a rotating XOR cipher to hide URLs and shell commands. Claude Code identified the pattern and wrote a Python script to decrypt every call in the codebase automatically.
2. Protocol Reconstruction: The agent traced the C2 (Command and Control) communication logic, identifying a custom binary message format consisting of a version field, AES-128-CBC ciphertext, a random IV, and the encryption key appended in plaintext.
3. Active C2 Interaction: In a surprising move, the AI wrote a functional Python client to communicate with the live C2 server (api.pixelpioneerss.com). This revealed that the server was tracking the researcher's IP address and geolocation in real-time and serving next-stage payloads.

The Malware Ecosystem: A Three-Stage Attack

The investigation uncovered a coordinated suite of malware designed for persistence and modularity:

Stage 1: The Dropper (com.hotack.silentsdk)

This app runs with android.uid.system privileges, meaning it was signed with the manufacturer's platform certificate. It ensures boot persistence by registering a high-priority boot receiver and running as a systemExempted foreground service, making it virtually unkillable by the OS.

Stage 2: The Framework (magic.v6037)

Once the dropper contacts the C2, it downloads a JAR containing a DEX file. This payload is loaded dynamically via reflection to evade static analysis. This framework acts as a component manager, checking into a secondary C2 (bur.thedynamicleap.com) every 15-30 minutes.

Stage 3: The Plugins

The framework can download and execute additional modular plugins on demand, allowing the attacker to pivot their capabilities based on the target's environment.

The Business Model: Selling Your Network

The most alarming discovery was the connection to kkoip.com, a front for Kookeey, a commercial residential proxy provider. Kookeey markets access to millions of residential IPs to customers globally.

As the researcher noted:

"My $35 projector wasn't just spying on me. It was selling my network. Anyone who paid Kookeey for proxy access could route their traffic through my IP, making it look like their requests came from a Stanford dorm room."

This represents a predatory business model: sell hardware at near cost, then monetize the user's home network by conscripting it into a commercial proxy service. As one community member pointed out, this is even more dangerous than simple bandwidth selling, as it creates a "universal binary delivery system" that could potentially be used to deploy further attacks within a local network.

Firmware-Level Persistence

The malware is not a simple app installation; it is integrated into the system image. Analysis of the firmware revealed:

• Defense Neutralization: A script (/system/bin/appsdisable) runs at first boot to disable Google Play Protect and other Google Android boot receivers.
• Silent Installation: A /system/bin/preinstall script silently installs APKs from multiple directories.
• Custom Kernel: The kernel was custom-compiled by Hotack on enterprise-grade hardware (Dell PowerEdge R740), proving this is an organized industrial operation rather than a hobbyist project.

Conclusion and Mitigation

This case serves as a warning about the "cheap IoT" supply chain. When a device is sold significantly below market value, the user is often the product.

For those owning similar devices, the recommended actions are:

• Isolate the device: Place it on a separate VLAN with no internet access or strictly blocked outbound traffic.
• Disable malicious packages: Use ADB to disable com.hotack.silentsdk and the com.htc. suite of packages.
• Avoid Factory Resets: Since the malware is baked into the firmware, a factory reset simply reinstalls the malicious components.

As the tools for reverse engineering become more accessible through AI agents, the veil of "security by obscurity" is thinning. However, the scale of these devices—millions of units sold across Amazon, Temu, and AliExpress—suggests that a massive, invisible proxy network is already in place.