Madusha.
/ Research
5 min read

The BigdroidOS Scam: How a "Xiaomi TV Box S" Tried to Fool Me (And Almost Succeeded)

The BigdroidOS Scam: How a "Xiaomi TV Box S" Tried to Fool Me (And Almost Succeeded)
M
Madusha Author

I bought what I thought was a Xiaomi TV Box S (3rd Gen) from one of Sri Lanka's more reputable electronics retailers. The box looked legit, high-quality printing, proper specs listed (Quad-core, 32GB storage, WiFi 6, Dolby Vision), and priced at LKR 20,000. That should have been my first warning. The genuine devices sells for LKR 27,000-30,000.

What followed was a masterclass in how modern counterfeit operations work. This isn't just a fake sticker slapped on a generic box. This is BigdroidOS, an open-source firmware that many attackers uses for sophisticated, malicious firmware designed to lie, persist, and phone home to command servers.

The First Red Flags

Blog image

I always verify new hardware with AIDA64. Within minutes of plugging this thing in, the app told me a completely different story than the packaging:

  • Actual RAM: 2GB (not specified on box)
  • Actual Storage: 16GB (not 32GB)
  • Actual SoC: Allwinner H313/H616 with Cortex-A53 cores
  • Actual Android Version: 12 (with a security patch from February 2022)
  • GPU: Mali-G31
  • Bluetooth: Version 4+
  • Developer option was force disabled with no way to enable
Blog image

Meanwhile, the Settings app was already gaslighting me: it showed Android 14 with a May 2025 security patch. The Play Store immediately flagged the device as uncertified, and DRM Info showed Widevine L3 (no HD streaming for you). Developer options? Forcefully disabled. My Google account recognized it as an "A1 ADT-3" Google's old developer test device rather than a Xiaomi product.

Blog image

Something was deeply wrong.

The "Liar Patch"

Here's where it gets interesting. A few days in, the box prompted me for a system update. I accepted partly out of curiosity, partly because I wanted to see what would happen.

After the reboot, AIDA64 suddenly reported:

  • CPU: Cortex-A55 (upgraded from A-53!)
  • Storage: 32GB (doubled!)
  • Device: Now showing as Xiaomi hardware
  • Android: 14 (matching the Settings app)

The hardware didn't change. Physics doesn't work that way. What changed was the software's ability to lie.

I pulled the getprop logs (Android's system properties) and found the smoking guns:

[ro.memsize_32G.show]: [28000000000]
[ro.build.version_custom.release]: [14]
[ro.build.auto.exit]: [com.finalwire.aida64]

That last line is the kicker. The firmware specifically monitors for AIDA64 (com.finalwire.aida64) and feeds it fabricated data when detected. The ro.memsize_32G.show property is hardcoded to display ~28GB to any app checking storage size, regardless of the actual 16GB NAND chip inside.

The "update" was a specific spoofing patch, a targeted payload designed to defeat hardware verification tools.

Digging Deeper into The Bigdroid Botnet

Curious about what this thing was actually doing on my network, I started tracing its connections. The getprop output revealed some fascinating infrastructure:

Command & Control Servers:

  • t101[dot]cms[dot]server → http://auth[dot]t101[dot]cn:8080/
  • mqtt[dot]s3tv[dot]net (IP: 57[dot]129[dot]18[dot]55)

The t101.cn domain is a known player in the fake TV box ecosystem. This isn't just piracy, this is fleet management. The MQTT protocol means the box is subscribed to a message broker, waiting for remote commands. It can receive instructions to install apps, exfiltrate data, or participate in DDoS attacks without your knowledge.

The Chromecast Deception: The box runs a service called redsonic that serves a fake device-desc.xml file to your local network. When you open YouTube on your phone and look for cast devices, this box presents itself as a legitimate Chromecast, complete with icons fetched from Google's own servers (gstatic.com). It's not just lying to you; it's lying to every device on your WiFi.

The Zombie Apps

I noticed few unusual apps com.abc.netflixhook, allapp, facappmanager, awlogsettings, boxtools, dragonatt, and timerswitch. which contained native code when tried to extract and had extensive permissions, also these were mostly running on UID 1000 and signed with Android Test keys

I tried cleaning house. Uninstalled Netflix. Uninstalled Disney+ and other preinstalled apps. Rebooted.

They came back.

The firmware includes a watchdog service (facappmanager or similar) with root privileges that checks the app list on every boot. If "sponsored" apps are missing, it reinstalls them from hidden partitions. You cannot sanitize this OS. It's designed to be a permanent billboard for apps you never asked for, generating affiliate revenue for the botnet operators.

The Colombo Counterfeit scam

Blog image

I didn't buy this from a random Facebook seller. I got it from one of the most reputed tech shops in Colombo. Then I checked 3 more well reputed and established shops. They all carry the same unit. Same box. Same price. Same malware.

This isn't a one-off scam. This is a supply chain infiltration. Someone is mass-producing these boxes with BigdroidOS pre-installed, and they're moving through legitimate retail channels in Sri Lanka. The price point (LKR 20,000 vs. 27,000+ for genuine) is calibrated to hit the sweet spot where consumers think they're getting a deal, not a dud.

Next Steps

I've isolated the box on a dedicated VLAN with no internet access and strict firewall rules. It works for local USB playback, but that's it. I've also reported the Liar Patch behavior to FinalWire (AIDA64's developers) so they can potentially detect this spoofing in future versions.

The Reddit community at r/AndroidTV helped validate my findings, turns out this exact firmware variant has been popping up globally, usually sold as "Xiaomi" or "Google TV" boxes in emerging markets.

The Bottom Line

This isn't your grandfather's counterfeit electronics. This is a sophisticated, networked threat that:

Spoofs hardware specs dynamically to prevent returns and fool reviewers

Maintains persistent C2 connections to Chinese servers

Resists user sanitization through root-level app restoration

Camouflages itself on your network as legitimate Google hardware

Propagates through trusted retail channels

If you bought a "Xiaomi" TV box in Sri Lanka recently for around LKR 20,000, check it with AIDA64 before accepting any updates. Look for the Allwinner H313/H616. Check if your Google account sees it as "ADT-3." Verify the security patch date matches the claimed Android version.

And maybe spend the extra LKR 7,000-10,000 for the real thing. Your network security is worth more than the discount.

Tags: #AndroidTV #BigdroidOS #CounterfeitElectronics #SriLanka #InfoSec #TVBox #Malware #SupplyChain

Back to Engineering Log