Children’s tablet has malware and exposes kids’ data, researcher finds

In May this year, Alexis Hancock’s daughter got a children’s tablet for her birthday. Being a security researcher, Hancock was immediately worried.

“I looked at it kind of sideways because I’ve never heard of Dragon Touch,” Hancock told TechCrunch, referring to the tablet’s maker.

As it turned out, Hancock, who works at the Electronic Frontier Foundation, had good reasons to be concerned. Hancock said she found that the tablet had a slew of security and privacy issues that could have put her daughter’s and other children’s data at risk.

The Dragon Touch KidzPad Y88X contains traces of a well-known malware, runs a version of Android that was released five years ago, comes pre-loaded with other software that’s considered malware and a “potentially unwanted program” because of “its history and extensive system level permissions to download whatever application it wants,” and includes an outdated version of an app store designed specifically for kids, according to Hancock’s report, which was released on Thursday and seen by TechCrunch ahead of its publication.

Hancock said she reached out to Dragon Touch to report these issues, but the company never responded. Dragon Touch did not respond to TechCrunch’s questions either.

The first worrying thing Hancock said she found on the tablet were traces of the presence of Corejava, which in January cybersecurity firm Malwarebytes analyzed and concluded was malicious. Also this year, the Electronic Frontier Foundation and independent security researchers discovered the same type of malware embedded in the software of cheap Android-powered TVs. The good news, Hancock said, is that at least the malware seemed inactive, and was programmed to send data to dormant servers.

According to Hancock’s technical report, the tablet also came pre-loaded with Adups — the same software found in those Android TVs — which is used to do “firmware over the air” updates. Malwarebytes has classified Adups as malware and a “potentially unwanted program” for its ability to automatically download and install new malware from the internet.

Finally, the tablet came with a pre-installed and outdated version of the KIDOZ app, which serves as an app store that allows parents to set parental controls and kids to download games and apps. The app store “collects and sends data to ‘kidoz.net’ on usage and physical attributes of the device. This includes information like device model, brand, country, timezone, screen size, view events, click events, logtime of events, and a unique KID ID,” according to Hancock’s report.

KIDOZ founder Eldad Ben Tora told TechCrunch that the app is certified to respect COPPA, the U.S. federal law that carves out some online privacy protections for children, and that the app “underwent a rigorous assessment process by an FTC-approved COPPA Safe Harbor Program called PRIVO, which included a thorough review of our data collection, storage, and usage practices.”

“This process ensures that our services fully comply with COPPA requirements, prioritizing the protection of children’s privacy,” Ben Tora told TechCrunch.

The Dragon Touch tablet that Hancock analyzed used to be on sale on Amazon until this week, when the listing went down and was replaced with a listing for the same tablet, which claims the tablet runs Android 12, which was released in 2021. Images on the listing, however, say the tablet runs Android 10, released in 2019.

It’s unclear how popular these tablets are, but the Amazon listings showed more than 1,000 reviews.

Amazon spokesperson Adam Montgomery told TechCrunch in an email that the company is “looking into these claims, and will take appropriate action if needed.”

The Dragon Touch tablet was also available on Walmart until this week. After TechCrunch reached out to the company, Walmart removed the listing from its website.

“We have removed this third-party item from our site while our Trust and Safety conducts a review,” Walmart spokesperson John Forrest Ales said in an email. “Like other major online retailers, we operate an online marketplace that allows outside third-party sellers to offer merchandise to customers through our eCommerce platform. We expect these items to be safe, reliable, and compliant with our standards and all legal requirements. Items that are identified to not meet these standards or requirements will be promptly removed from the website and remain blocked.”

Dragon Touch is listed on the official Android website as a “certified” device that’s been “tested for security and performance.”

Google spokesperson Ed Fernandez told TechCrunch by email that the company was “thoroughly evaluating the claims in this report to determine whether the manufacturer’s device meets the security standards required for Play Protect certification.”

Children’s internet-connected products have long been a target for hackers. In 2015, a hacker broke into the servers of VTech, a consumer electronics company that made gadgets for children. The hack resulted in the theft of personal information of almost five million parents, including names, email addresses, passwords and home addresses, and the personal data of more than 200,000 kids, including names, genders and birthdays. The hacker also obtained thousands of pictures of parents and kids and a year’s worth of chat logs.

After finishing her research, Hancock said she had to keep the tablet because her daughter got attached to it during a trip with her cousins. But Hancock didn’t return the tablet to her daughter until after making changes to protect her daughter’s privacy.

“I have talked to her about why I had her tablet, and why I had it for so long away from her. I told her that it was sick, it had a virus, and I had to make it better and I had to take it to the doctor,” Hancock said.

In practice, Hancock said that she “nuked everything” she could.

First, Hancock said she installed a VPN profile on the tablet on a private server that runs Pi-hole, an ad blocking software; then, she limited the number of apps her daughter could use; redirected the DNS — the internet system that connects IP addresses to domain names, for “any problematic domains;” and even installed Tor, a browser that is designed to protect the anonymity of its user.

Hancock, however, said parents shouldn’t need to do all this to protect their children’s privacy, especially because not everyone has the technical chops, or the time, to research their kids’ tablet’s cybersecurity and privacy issues.

“Parents really can’t do too much,” she said. “And honestly, it shouldn’t be left up to them.”

Popular Android TV boxes sold on Amazon are laced with malware