Acemagic is a popular technology company offering cheap computers and mini-PCs. Many are categorized as gaming computers by the company. They recently came out with the Acemagic S1 mini PC, and many users are experiencing issues with malware and suspicious PUAs (Potentially Unwanted Application).
The computers come with an edited version of Windows installed removing bloatware, adding Google Chrome, and home-brewed software by Acemagic. This home brewed software includes an LED control app, and a CYXTFTool.
When running a Sophos Intercept X Advanced scan on the device straight out of the box, we found the following threats:
It seems that the LED Control is a home brew app from Acemagic. Users have reported issues with antivirus software marking it as malware. Acemagic has claimed that these reports are false positives and the app is safe to use. The LED control app is meant to control the LED lights on the front of the PC; however, it did not work upon initial boot up.
One user of this mini pc asked a question about the program on minipcunion.com. An alleged employee of Acemagic by the name barry777 responded that the program was ‘misjudged’ by Windows Defender, but they were working on fixing it. He then followed up with an updated version of the LED Control program. After downloading the “updated” version of the LED control app, Sophos antivirus determined it was clean.
I have been unable to find any other response from the company regarding the other malware threats included with the computers. Often with them ignoring customer claims about them, even when replied to directly.
The following report from Virus Total shows that 46 security vendors and 3 sandboxes have flagged the original LED control app as malicious.
ENDEV is classified as a Redline Stealer. This malware steals system information, location data, saved browser credentials, credit card information, autocomplete data, and more. This is particularly alarming with the edits made to the pre-installed version of Google Chrome.
ENDEV Analysis from JoeSandbox
Where Google Chrome would normally say ‘New Tab’, you can see that the pre-installed Google Chrome says Upsearches. Upsearches is a malicious browser that redirects traffic to Yahoo, while stealing credentials, credit card information, and tracking your internet activity.
Many people have reported being unable to remove UpSearches from these devices, and it does prove difficult. After testing it seems resetting Chrome settings works. However, if you reset the device, the edited version will return. When clicking on ‘Google Chrome” the first time after a reset, you can see that Upsearches is still there, but after closing and reopening the browser it looks just like a normal install.
The new S1 is not the only computer by Acemagic to experience issues with malware. Many reports on their other computers include these viruses and many others.
Amazon listings for these computers show that Acemagic lists the same computer many times, possibly in an attempt to spread out the bad reviews to keep their ratings high. On each listing you’ll see a few 1 star reviews, and several 5 star reviews. Looking closer, most of these 5 star reviews were part of a promotion, meaning they were paid for by Acemagic.
Looking at YouTube, many creators have made unboxing/review videos of Acemagic computers while leaving out or brushing over the malware complaints. All of these videos leave the computers and Acemagic in a positive light with the creators leaving a link to by the computers in their video’s description. At the bottom of this description, you can see a disclaimer mentioning that the video was paid for by Acemagic.
Overall we believe Acemagic is negligent at best and a malicious threat actor at worst. These computers are drenched in malware and are not safe for use out of the box. If you currently have a computer by Acemagic, it is crucial that you remove any browser accounts, change any saved passwords, replace credit cards, and completely wipe the device.
This company is a great showcase of how even brand-new computers can contain threats, which is why it is always necessary to have an anti-virus software like Sophos Intercept X Advanced installed.
Protect your business systems with UNCOMPROMISING SECURITY. Contact us and let's show you!
From Firestorm Cyber: Alyssa Edwards