Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Wed, Jun 29th):HiByMusic Scans; OpenSSL Heap Overflow; ZuoRat;

Latest Diaries

Possible Scans for HiByMusic Devices

Published: 2022-06-28
Last Updated: 2022-06-28 15:52:36 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

HiBy is a brand of portable music players built around the Android operating system. Probably a bit comparable to the now-defunct iPod touch, the device does use a close to "stock" version of Android and adds its own "HiByMusic" application as a music player. The hardware includes a Snapdragon ARM CPU standard on Android devices and attempts to distinguish itself with DACs claimed to be better than those found in other devices.

image of hiby music device
Image of HiBy device from



The device offers a feature to load custom network radio station URLs via a "radio.txt" file. The file is a simple text file with a list of URLs. For example:

Radio Dismuke 1920s-30s pop/jazz,
SomaFM: Heavyweight Reggae,
SomaFM: Groove Salad,
SomaFM: Groove Salad Classic,
(sample of a radio.txt file found here:

I was a bit surprised that we recently started seeing some scans looking for radio.txt files based on our "First Seen" report. The number of submissions is small. (see the URL History for radio.txt)

So the question is: why?

  • I found one vulnerability specific to HiByMusic: CVE-2021-44124 . It is a simple directory traversal and may result in information leakage. I don't think this is all that interesting but sure. Maybe other vulnerabilities have not yet been made public, or the attacker is looking for generic Android issues
  • radio.txt files may include internal audio sources that are not openly advertised. This could leak information.
  • Or just someone essentially trying to build a "radio station spider" to find as many publicly available radio stations as possible. Anybody knows if this "radio.txt" file is unique to HiByMusic, or if other players use files like this?

At least one more report is not linked to our data observing requests for radio.txt.

Any ideas about what's going on here? 

Johannes B. Ullrich, Ph.D. , Dean of Research,

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Encrypted Client Hello: Anybody Using it Yet?
Jun 27th 2022
1 day ago by Johannes (0 comments)

My Paste Command
Jun 26th 2022
2 days ago by DidierStevens (0 comments)

More Decoding Analysis
Jun 26th 2022
2 days ago by DidierStevens (0 comments)

Malicious Code Passed to PowerShell via the Clipboard
Jun 25th 2022
3 days ago by Xme (0 comments)

Python (ab)using The Windows GUI
Jun 24th 2022
5 days ago by Xme (0 comments)

FLOSS 2.0 Has Been Released
Jun 23rd 2022
6 days ago by Xme (0 comments)

Malicious PowerShell Targeting Cryptocurrency Browser Extensions
Jun 22nd 2022
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 year ago by Rick (0 replies)

API port data
created Apr 25th 2021
1 year ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 year ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 year ago by (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
5 months ago by Xme (0 comments)

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
5 months ago by Johannes (0 comments)

Method For String Extraction Filtering
Apr 9th 2022
2 months ago by DidierStevens (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
4 months ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
5 months ago by Xme (0 comments)