A variant of the Mirai botnet called Pandora was observed infiltrating cheap Android-based TVs and TV boxes and using them as part of a botnet to carry out distributed denial of service (DDoS) attacks.
Doctor Web said these compromises are likely to occur either during malicious firmware updates or when installing applications that allow viewing pirated video content.
“It is likely that this update has been made available for download from a number of websites, as it is signed with publicly available Android Open Source Project test keys,” the company said Russian. said in an analysis published Wednesday.
“The service that runs the backdoor is included in boot.img,” allowing it to persist between system reboots.
In alternative distribution methods, it is suspected that users are tricked into installing apps to stream pirated movies and TV shows through websites that primarily target Spanish-speaking users.
The list of apps is as follows –
- Latin VOD (com.global.latinotvod)
- Tele Latino (com.spanish.latinomobile)
- UniTV (com.global.unitviptv), and
- YouCine TV (com.world.youcinetv)
Once an application is installed, it launches a “GoMediaService” service in the background which is then used to unpack a number of files, including an interpreter that runs with elevated privileges and an installer for Pandora.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
Pandora, for its part, is designed to contact a remote server, replace the hosts file on the system with a malicious variant and receive additional commands to mount DDoS attacks via TCP and UDP protocols and open a reverse shell.
The main targets of the campaign are cheap Android TV boxes such as Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3, equipped with quad-core processors from Allwinner and Amlogic, making them an ideal candidate for launching DDoS attacks .
To mitigate such infections, users are recommended to keep their devices updated and stick to downloading software only from trusted sources.