Mirai’ Botnet Variant ‘Pandora’ Takes Control of Android TVs for Cyberattacks

A new strain of the Mirai botnet, dubbed “Pandora,” has emerged, targeting budget-friendly Android-based TV sets and TV boxes, leveraging them in distributed denial-of-service (DDoS) attacks.

These breaches typically occur during either malicious firmware updates or when users install applications to access pirated video content.

According to a recent analysis by a Russian cybersecurity firm, it is highly probable that this update has been distributed through various websites since it is signed with publicly available Android Open Source Project test keys.

The backdoor service responsible for the compromise is embedded in the boot.img, allowing it to persist even after system reboots.

In alternative distribution methods, users are often deceived into downloading applications for streaming pirated movies and TV shows from websites that predominantly target Spanish-speaking users.

Once one of these deceptive apps is installed, it triggers a background service known as “GoMediaService.” This service proceeds to unpack several files, including an interpreter running with elevated privileges and an installer for Pandora.

Pandora’s role is to connect with a remote server, replace the system’s hosts file with a malicious version, and await further instructions, which may include launching DDoS attacks using TCP and UDP protocols or establishing a reverse shell.

The primary targets of this campaign are affordable Android TV boxes like Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3, which are equipped with quad-core processors from Allwinner and Amlogic, making them prime candidates for initiating DDoS assaults.

To safeguard against such infections, it is strongly advised that users keep their devices up-to-date and obtain software exclusively from reputable and trusted sources.