Walmart pulls children’s tablet after researcher finds malware exposing kids’ data

Dragon Touch children's tabletAmazon, Pexels

A security researcher raised the alarm when traces of dangerous malware were found on a DragonTouch tablet marketed to children.

A child receiving a tablet or smartphone for their birthday is hardly an uncommon occurrence in the modern day, but security researcher Alexis Hancock quickly found she had cause for concern when she examined her daughter’s Dragon Touch KidZPad Y88X.

Hancock works for the Electronic Frontier Foundation, and so had plenty of familiarity with modern tech products, and yet she had never heard of Dragon Touch, the device’s manufacturer.

Article continues after ad

Upon further inspection, she discovered a range of security and privacy concerns, including traces of a Malware called Corejava, which Malware Bytes confirmed was malicious early this year.

Outdated Android and data-collecting app store

The tablet also runs on a version of Android which is five years out of date, and has a custom app store designed specifically for children called KIDOZ which is similarly outdated and subject to security holes.

This app store collects a host of information, including device model, brand, country, timezone, screen size, view events, click events, logtime of events, and a unique KID ID. This data is then sent to a site called ‘kidoz.net’.

Article continues after ad
Kodoz app store logoKidoz.net

The software pre-loaded onto the tablet is similarly problematic, as it included Adups, a program that has likewise been classified as malware for its potential to download and install other malicious software without any user intervention.

These privacy and security concerns were reported to Amazon, Google, and Walmart. While Amazon and Google said that they were investigating claims and would take appropriate action if needed, Walmart promptly pulled the product from store shelves pending a full investigation.

Article continues after ad

Walmart spokesperson John Forrest Ales said in an email to TechCrunch:

“We have removed this third-party item from our site while our Trust and Safety conducts a review.

“Like other major online retailers, we operate an online marketplace that allows outside third-party sellers to offer merchandise to customers through our eCommerce platform.

“We expect these items to be safe, reliable, and compliant with our standards and all legal requirements. Items that are identified to not meet these standards or requirements will be promptly removed from the website and remain blocked.”

Article continues after ad

Hancock and TechCrunch attempted to contact Dragon Touch for a comment, but so far have not received a reply.