HQ/EMEAFind out how we can help your business
The notorious Miria botnet malware has a new strain called Pandora, compromising low-cost Android-based television sets and TV boxes. The latest iteration of this botnet could execute distributed denial-of-service attacks.
The operators of this new campaign could allegedly execute its attacks by deceiving targeted users into engaging in malicious firmware updates or installing apps to access pirated or cracked video content.
Earlier this week, the operation’s fake update appeared available for download from multiple sources, such as third-party app stores and websites. These updates acquired signs through publicly accessible Android Open-Source Project test keys. These modifications include a backdoor service within the boot[.]img that ensures the persistence of the backdoor even after the system reboots.
The new Pandora botnet strain’s other distribution method is through users who want to acquire free streaming platforms.
The Pandora botnet’s alternative distribution method involves users lured by applications that offer pirated movies and television shows. The threat actors deceive users into installing malicious apps to access content unavailable to standard cable services or platforms that need subscriptions.
The campaign has also shown signs of prioritising targeting Spanish-speaking users since most targeted apps are from Latin-speaking regions. The confirmed apps that have ties to the campaign include Tele Latino (com.spanish.latinomobile), UniTV (com.global.unitviptv), Latino VOD (com.global.latinotvod), and YouCine TV (com.world.youcinetv).
Once a user installs one of the earlier-mentioned apps, it will run a background service called GoMediaService, which the actors employ to extract several files, including an interpreter running with elevated privileges and an installer for Pandora.
On the other hand, the Mirai developers designed Pandora botnet to establish communication with a remote server, replace the system’s host file with a malicious version, and accept further commands for executing DDoS attacks via TCP and UDP protocols and accessing a reverse shell.
The primary targets of this cybercriminal operation are low-cost Android TV boxes like Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3, which have quad-core processors from Allwinner and Amlogic, making them ideal for launching distributed denial-of-service campaigns.
Android TV users, especially from the Latin American region, should keep their devices updated and always download software from trusted sources to avoid falling victim to these new campaigns.
