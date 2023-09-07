Summary: A new variant of the Mirai botnet called Pandora has been identified. It infiltrates inexpensive Android-based TV sets and TV boxes, turning them into a botnet to perform DDoS attacks. The compromise occurs either through malicious firmware updates or when users install applications for streaming pirated video content. The backdoor service responsible for the infiltration is included in the boot.img file, allowing it to persist even after system restarts. Spanish-speaking users have been targeted through websites offering pirated movies and TV shows. Once an app is installed, it launches a background service called “GoMediaService” that unpacks several files, including an interpreter with elevated privileges and an installer for Pandora. Pandora connects to a remote server, replaces the hosts file, and carries out DDoS attacks via TCP and UDP protocols. The botnet primarily targets cheap Android TV boxes with quad-core processors from Allwinner and Amlogic. Users are advised to keep their devices updated and download software only from trusted sources.

The cybersecurity company Doctor Web recently discovered a new variant of the infamous Mirai botnet called Pandora. This variant specifically targets inexpensive Android-based TV sets and TV boxes, transforming them into a part of a malicious botnet network. The purpose of this botnet is to carry out distributed denial-of-service (DDoS) attacks.

The compromise of these Android devices is believed to occur either during the installation of malicious firmware updates or when users install applications for streaming pirated video content. Doctor Web suggests that these updates may have been made available on multiple websites, as they are signed with publicly available Android Open Source Project test keys.

The infiltration technique used by Pandora involves a backdoor service that is included in the boot.img file. This allows the malware to persist between system restarts, ensuring the longevity of the botnet’s operation.

To distribute the malware, attackers have primarily targeted Spanish-speaking users through websites that offer pirated movies and TV shows. Users are tricked into installing specific applications that launch a background service called “GoMediaService.” This service is responsible for unpacking various files, including an interpreter that runs with elevated privileges and an installer for the Pandora botnet.

Once connected to a remote server, Pandora replaces the hosts file on the compromised devices, and it receives commands to carry out DDoS attacks via TCP and UDP protocols. The primary targets of these attacks are cheap Android TV boxes with quad-core processors from Allwinner and Amlogic, making them ideal for launching such attacks.

To protect against these types of attacks, users are advised to keep their devices up-to-date with the latest firmware and security patches. Additionally, it is essential to download software only from trusted and reputable sources to minimize the risk of malware infections.

