New Mirai Variant Targets Low-Cost Android TV Boxes for DDoS Attacks

A fresh variant of the Mirai malware botnet has emerged, infecting low-cost Android TV set-top boxes commonly used for media streaming by millions of users.

Dr. Web’s antivirus team has identified this trojan as a new iteration of the ‘Pandora’ backdoor, which initially surfaced in 2015.

The primary focus of this campaign is on economical Android TV boxes, including models like Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3. These devices are equipped with quad-core processors capable of launching potent Distributed Denial of Service (DDoS) attacks, even with small swarm sizes.

The malware infiltrates these devices through two main channels: either via a malicious firmware update signed with publicly available test keys or through malicious apps hosted on domains targeting users seeking pirated content.

In the first scenario, the malicious firmware updates are either installed by device resellers or users are deceived into downloading them from websites that promise unrestricted media streaming or enhanced compatibility with a broader range of applications.

The malware embeds itself within the ‘boot.img,’ containing kernel and ramdisk components loaded during the Android system boot-up, making it an effective persistence mechanism.

The second distribution method involves pirated content apps that pledge access to copyrighted TV shows and movies for free or at a minimal cost. In this case, persistence is established during the initial launch of these malicious apps. They initiate the ‘GoMediaService’ in the background without the user’s knowledge and set it to auto-start upon device boot.

This service triggers the ‘gomediad.so’ program, which unpacks various files, including a command-line interpreter running with elevated privileges (‘Tool.AppProcessShell.1’) and an installer for the Pandora backdoor (‘.tmp.sh’).

Once activated, the backdoor communicates with a command-and-control (C2) server, replaces the HOSTS file, self-updates, and then enters standby mode, awaiting commands from its operators.

The malware is capable of executing DDoS attacks via TCP and UDP protocols. This includes generating SYN, ICMP, and DNS flood requests, opening a reverse shell, mounting system partitions for modification, and more.

Low-cost Android TV boxes often have an uncertain journey from manufacturer to consumer, leaving end-users unaware of their origins, potential firmware alterations, and the various intermediaries they pass through.

Even for cautious consumers who retain the original ROM and exercise discretion in app installations, there remains a lingering risk of devices arriving with preloaded malware.

Therefore, it is advisable to consider trusted streaming devices from established brands such as Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick to mitigate potential security risks.