Mini PC maker ships systems with factory-installed spyware — AceMagic says issue was contained to the 'first shipment'

AceMagic AD08
AceMagic AD08 (Image credit: AceMagic)

Jon from The Net Guy Reviews YouTube channel claims to have found spyware inside the AceMagic AD08 mini-PC that he received for review. Other models, including the AD15 and S1, reportedly present similar spyware problems.

As a quick introduction, Shenzhen Shanminheng Technology Co., Ltd., also known as Minipc Union, owns different brands: AceMagic/AceMagician, Kamrui, NiPoGi, and CTONE. Many of the cheap mini-PCs on Amazon are cookie-cutter products; sometimes, the only difference is specifications. That's why the AceMagic AD08, for example, looks identical to the Kamrui AM08.

According to Jon, Windows Defender initially detected suspicious files from the recovery partition from the NVMe drive installed inside the AceMagic AD08, which the reviewer received through dropshipping from the Fulfillment by Amazon (FBA) service. 

The infected files consist of two executables: ENDEV and EDIDEV. The malware belongs to the Bladabindi and Redline families, which steal stored passwords from browsers and cryptocurrency wallets, log the victim's keystrokes, and extract information from the infected system - among other illicit activities. A complete system scan revealed additional spyware files hiding in the Windows folder. VirusTotal confirmed Windows Defender's diagnostics. A total of 50 security vendors flagged the files as malicious.

One Amazon buyer who purchased the AceMagic AD08 also reported malware inside the system, so the YouTuber's experience wasn't an isolated incident.

Eclectic Sal wrote, "Arrived with malware installed - Backdoor Win32/Bladabindi, a backdoor trojan which is a remote access tool known for its data-stealing capabilities. It was hardcoded into the Windows recovery, so it would not be wiped on reset. Windows was also a spoofed version, not a valid product key."

Meanwhile, Richard Deno, who picked up an AK1, stated, "Okay, first things first, this computer Backdoor:Win32/Bladabind!ml and Trojan:MSIL/RedLine!MSR malware. These are the files endev.exe and endidev.exe in the folder C:/Windows/OsVer/. There's also copies of these on the restore information, so if you do a system restore they'll be reinstalled. It's also odd that it comes with Chrome preinstalled, but given the other malware I wouldn't trust the copy they installed."

The malware issue isn't limited to just the AceMagic AD08 or AK1. The Net Guy Reviews' peers found duplicate files on the AD15; another contact found a different malware hidden inside the LED control software for the S1. Jon purchased another AceMagic AD08 mini-PC directly from Amazon, but the machine was cleaned this time. The only difference he noticed with the packaging was a small sticker denoting "P2." It seems that the vendor discovered the problem and released a revised version.

An AceMagic representative purportedly got back to Jon with the following statement:

Hi Jon,

Yes, the virus software issue has been resolved in the current stock product offering this issue will no longer be present in the current offerings as the one sent to you was the first shipment and we apologize that it had these issues and caused you some distress. But please don't worry, everything has been properly resolved now. Thank you for your support!

It's not the first time AceMagic has encountered malware problems. The vendor previously acknowledged an issue where the Bing search engine was included in the pre-installation process for the AD08, S1, and AK1 Plus RGB. However, AceMagic didn't say anything about malware, so we shouldn't assume it's the same issue.

From the spokesperson's statement, it's plausible that a specific batch of AceMagic devices presents the malware problem. That's one of the caveats of outsourcing your Windows images. The company may have already pulled all the compromised devices from retailers. However, it's also unknown how many of them got out. AceMagic hasn't issued a recall on these machines, so that number could be small. Jon and accompany may just be unlucky. If you own a mini-PC from AceMagic or one of the other sub-brands and are still using the original Windows installation, it wouldn't hurt to run a virus scan to see if you're malware-free.

Zhiye Liu
News Editor and Memory Reviewer

Zhiye Liu is a news editor and memory reviewer at Tom’s Hardware. Although he loves everything that’s hardware, he has a soft spot for CPUs, GPUs, and RAM.

  • ThomasKinsley
    This is what I was afraid of. As soon as I heard that these little mini-PCs used a custom Windows image with a special BIOS, I thought something might be wrong. They're really, really cheap, but that might be because they're banking (ha) on the keyloggers.
    Reply
  • USAFRet
    Way to tank your brand.

    No matter what you do in the future, that is on the permanent Do Not Buy list.
    Reply
  • pug_s
    I would buy it. Just wipe the drive and do a clean install. I've brought 2 of these pc's recently and I did that.
    Reply
  • USAFRet
    pug_s said:
    I would buy it. Just wipe the drive and do a clean install. I've brought 2 of these pc's recently and I did that.
    Why reward incompetence?

    The only thing they need is bankruptcy and unemployment.
    Reply
  • thestryker
    These devices are cheap enough that something along these lines was basically guaranteed to happen. I've never bought a minipc with storage, and if I did the first thing that would happen is it gets wiped.
    Reply
  • qwertymac93
    For all we know they just moved the malware to the firmware/UEFI so it's even harder to wipe away. Fool me once, shame on you; fool me twice...
    Reply
  • wbfox
    Also would be interested to know how and who put on the malware. And as mentioned, there is always the uefi and firmware and Intel ME, etc.... And then of course there are all the other brands of mini pcs.....
    Reply
  • USAFRet
    wbfox said:
    Also would be interested to know how and who put on the malware. And as mentioned, there is always the uefi and firmware and Intel ME, etc.... And then of course there are all the other brands of mini pcs.....
    Apparently, they outsourced the creation and loading of the Windows images.
    Reply
  • drivinfast247
    USAFRet said:
    Way to tank your brand.

    No matter what you do in the future, that is on the permanent Do Not Buy list.
    There goes the prestigious AceMagic brand!
    Reply
  • das_stig
    Bigger question, why are Amazon not pulling all their products, as they are assisting in distribution of known compromised hardware ? Ah forgot the almighty profit margin overrules everything !
    Reply