Mini PC maker ships systems with factory-installed spyware — AceMagic says issue was contained to the 'first shipment'
Jon from The Net Guy Reviews YouTube channel claims to have found spyware inside the AceMagic AD08 mini-PC that he received for review. Other models, including the AD15 and S1, reportedly present similar spyware problems.
As a quick introduction, Shenzhen Shanminheng Technology Co., Ltd., also known as Minipc Union, owns different brands: AceMagic/AceMagician, Kamrui, NiPoGi, and CTONE. Many of the cheap mini-PCs on Amazon are cookie-cutter products; sometimes, the only difference is specifications. That's why the AceMagic AD08, for example, looks identical to the Kamrui AM08.
According to Jon, Windows Defender initially detected suspicious files from the recovery partition from the NVMe drive installed inside the AceMagic AD08, which the reviewer received through dropshipping from the Fulfillment by Amazon (FBA) service.
The infected files consist of two executables: ENDEV and EDIDEV. The malware belongs to the Bladabindi and Redline families, which steal stored passwords from browsers and cryptocurrency wallets, log the victim's keystrokes, and extract information from the infected system - among other illicit activities. A complete system scan revealed additional spyware files hiding in the Windows folder. VirusTotal confirmed Windows Defender's diagnostics. A total of 50 security vendors flagged the files as malicious.
One Amazon buyer who purchased the AceMagic AD08 also reported malware inside the system, so the YouTuber's experience wasn't an isolated incident.
Eclectic Sal wrote, "Arrived with malware installed - Backdoor Win32/Bladabindi, a backdoor trojan which is a remote access tool known for its data-stealing capabilities. It was hardcoded into the Windows recovery, so it would not be wiped on reset. Windows was also a spoofed version, not a valid product key."
Meanwhile, Richard Deno, who picked up an AK1, stated, "Okay, first things first, this computer Backdoor:Win32/Bladabind!ml and Trojan:MSIL/RedLine!MSR malware. These are the files endev.exe and endidev.exe in the folder C:/Windows/OsVer/. There's also copies of these on the restore information, so if you do a system restore they'll be reinstalled. It's also odd that it comes with Chrome preinstalled, but given the other malware I wouldn't trust the copy they installed."
The malware issue isn't limited to just the AceMagic AD08 or AK1. The Net Guy Reviews' peers found duplicate files on the AD15; another contact found a different malware hidden inside the LED control software for the S1. Jon purchased another AceMagic AD08 mini-PC directly from Amazon, but the machine was cleaned this time. The only difference he noticed with the packaging was a small sticker denoting "P2." It seems that the vendor discovered the problem and released a revised version.
An AceMagic representative purportedly got back to Jon with the following statement:
Hi Jon,
Yes, the virus software issue has been resolved in the current stock product offering this issue will no longer be present in the current offerings as the one sent to you was the first shipment and we apologize that it had these issues and caused you some distress. But please don't worry, everything has been properly resolved now. Thank you for your support!
It's not the first time AceMagic has encountered malware problems. The vendor previously acknowledged an issue where the Bing search engine was included in the pre-installation process for the AD08, S1, and AK1 Plus RGB. However, AceMagic didn't say anything about malware, so we shouldn't assume it's the same issue.
From the spokesperson's statement, it's plausible that a specific batch of AceMagic devices presents the malware problem. That's one of the caveats of outsourcing your Windows images. The company may have already pulled all the compromised devices from retailers. However, it's also unknown how many of them got out. AceMagic hasn't issued a recall on these machines, so that number could be small. Jon and accompany may just be unlucky. If you own a mini-PC from AceMagic or one of the other sub-brands and are still using the original Windows installation, it wouldn't hurt to run a virus scan to see if you're malware-free.
