A recently updated variant of the Mirai botnet malware is now targeting Android TV set-top boxes, which are widely utilized by millions of users for streaming, with a particular emphasis on financial exploitation.
As reported by Dr. Web’s analyst team, the new trojan represents an updated iteration of the “Pandora” backdoor, originally observed in 2015.
As mentioned earlier, the primary targets are low-cost Android TV boxes, including models like the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3. These devices boast quad-core processors, enabling them to launch potent DDoS attacks.
How Mirai botnet infects?
Dr. Web’s report outlines two methods of device infection:
- Through Malicious Firmware Updates: These updates are signed with publicly available test keys.
- Via Malware Targeting Users Interested in Pirated Content: Users looking for pirated content become targets.
Regarding firmware updates, resellers of these devices may be responsible for installations. Alternatively, users themselves may be deceived into downloading these updates from websites that promise unlimited streaming or improved compatibility with a broader range of applications.
The malevolent service is housed within the “boot.img” file, encompassing the kernel and ramdisk components responsible for initialization during the Android system’s boot-up process. Consequently, it serves as an effective means for establishing persistence.
Regarding distribution via malicious applications, these apps often offer pirated content and make enticing claims of free or low-cost access to copyrighted TV shows and movies.
Dr. Web provides instances of Android apps responsible for infecting devices with this updated Mirai malware botnet variant.
In this scenario, persistence is established during the initial launch of these malicious applications. They clandestinely activate the “GoMediaService” in the background, ensuring it automatically starts with each device boot-up.
This service subsequently invokes the “gomediad.so” program, responsible for various tasks, such as unpacking archives. It also runs a command-line interpreter with elevated privileges (“Tool.AppProcessShell.1”) and deploys an installer for the Pandora backdoor (“.tmp.sh”).
Once activated, the backdoor communicates with the C2 server, overwrites the HOSTS file, updates itself, and then enters a standby state, awaiting incoming commands from its handlers.
The analysts of Dr. Web report that the malware may performs attacks DDoS through the TCP and UDP protocols and perform other malicious activities.
Are Android TV Boxes a Security Risk?
Android TV boxes offer affordable access to streaming content like movies and series, but they carry risks, including potential malware.
These budget-friendly devices may lack transparency in sourcing and firmware alterations, posing security concerns even for cautious users. Opting for reputable brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, or Roku Stick can enhance security.