A $35 projector has turned into a source of hidden cyberthreats

A user who purchased an Android projector from the AliExpress platform for 35 USD encountered an unexpected cybersecurity issue after installing the device at home. Although the projector initially appeared to be an ordinary multimedia device, it began exhibiting suspicious network activity shortly after being connected to a Wi-Fi network.

The incident became known through the personal blog of Zane St. John, who reported that after purchasing the Magcubic HY300 Pro+ projector, he observed the device sending DNS requests to unknown domains immediately after connecting to the internet. Subsequent technical analysis revealed the presence of suspicious pre-installed components within the projector’s firmware. The user also used Claude Code while analyzing the device’s suspicious behavior. Claude Code played an important role in analyzing the APK files, tracking network connections and more clearly identifying the functions of the malicious components.

According to the findings, the device attempted to communicate with domains such as “usmyip.kkoip.com” in order to register the user’s IP address. It was reported that the purpose of such activity may have been to integrate the device into a residential proxy network. During the technical investigation, the presence of packages including “com.hotack.silentsdk” and “com.hotack.writesn” was also identified on the projector. These components reportedly enabled the device to establish background network connections, generate additional traffic and utilize the user’s IP address for proxy-related services without the user’s knowledge or consent.

Available information indicates that the issue may not be limited solely to the Magcubic HY300 Pro+ model. Technical observations have identified the presence of similar components in certain low-cost Android-based projectors associated with brands such as Hotack, Huyukang and Nonete. This demonstrates that internet-connected “smart” devices may pose significant security risks.

The incident once again highlights that internet-connected devices should be evaluated not only based on their functionality, but also in terms of firmware integrity and network behavior. In particular, connecting smart devices produced by unknown manufacturers to home or organizational networks may place personal data, IP reputation and overall network security at risk.

References:

• Zane St. John – “Reverse engineering Android malware with Claude Code”
• Adafruit Blog – “Reverse engineering Android malware with Claude Code”
• GitHub – “micha102/hy300pro-debloat”
• GitHub – “Kavan00/Android-Projector-C2-Malware”