Mirai Variant Infects Low-Cost Android TV Boxes for DDoS attacks

Cyber Security Threat Summary:
A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3. These devices are equipped with quad-core processors, enabling them to execute potent DDoS attacks even with relatively small botnet sizes. According to Dr. Web's findings, the malware enters these devices through two primary means: either through a malicious firmware update that is signed using readily available test keys or through malicious apps hosted on websites that attract users seeking pirated content.

“In the first case, those firmware updates are either installed by resellers of the devices or the users are tricked into downloading them from websites that promise unrestricted media streaming or better compatibility with a broader range of applications. The malicious service is in 'boot.img,' which contains the kernel and ramdisk components loaded during the Android system boot-up, so it's an excellent persistence mechanism. The second distribution channel is pirated content apps that promise access to collections of copyright-protected TV shows and movies for free or at a low fee. Dr. Web gives examples of Android apps that infected devices with this new Mirai malware variant. In this case, persistence is achieved during the first launch of the malicious apps, which start the 'GoMediaService' in the background without the user's knowledge and set it to auto-start on device boot. That service calls the 'gomediad.so' program, which unpacks multiple files, including a command-line interpreter that runs with elevated privileges ('Tool[.]AppProcessShell[.]1') and an installer for the Pandora backdoor ('.tmp[.]sh')” (BleepingComputer, 2023).

After activation, the backdoor establishes communication with the C2 server, replaces the HOSTS file, performs self-updates, and subsequently transitions into standby mode, ready to respond to commands issued by its operators.

Security Officer Comments:
Affordable Android TV boxes can have an unclear path from manufacturer to user, raising concerns about their origins and potential firmware changes. Even if users are careful, there's still a risk of these devices coming with pre-installed malware. To mitigate these risks, it's wise to consider reputable streaming devices like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, or Roku Stick from trusted brands.

Suggested Correction(s):
Dr. Web advises keeping your device's operating system up-to-date to patch vulnerabilities and downloading software exclusively from trusted sources like official websites or app stores. If your Android device has been infected by Android.Pandora, a clean OS image from the device manufacturer can help eradicate the malware.

IOCs:
https://github.com/DoctorWebLtd/malwareiocs/blob/master/Android.Pandora/README.adoc

Link(s):
https://www.bleepingcomputer.com/news/security/mirai-variant-infects-low-cost-android-tv-boxes-for-ddos-attacks/
https://news.drweb.com/show/?lng=en&i=14743