Cybersecurity researchers from Doctor Web have discovered a new variant of the Android Pandora backdoor, which targets Spanish-speaking Android TV users, hijacking the TV to make it part of their botnet, to be used in distributed denial of service (DDoS) attacks.
In a press release, Doctor Web’s researchers explained how unnamed threat actors modified the popular Android.Pandora 10 backdoor, in some places also known as Android.BackDoor.334.
The version they created goes by the name Android.Pandora.2, and it inherited its DDoS capabilities from Mirai. It is being distributed mostly as a malicious firmware update, released on December 3, 2015, for the MTX HTV BOX HTV3 Android box.
Malicious apps and firmware
“It is likely that this update has been made available for download from a number of websites, as it is signed with publicly available Android Open Source Project test keys,” the researchers said. This is not the only distribution method, however, as the researchers also found malicious apps, pretending to offer streaming services for pirated movies and TV shows. These apps include domains with names like youcine, magistv, latinatv, and unitv.
The attackers target mostly low-budget Android TV endpoints. The biggest targets seem to be Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.
Once the victims install the malicious firmware update (or one of the malicious apps), they essentially grant the attackers the ability to control the endpoint. The threat actors would then use it in distributed denial of service attacks, using the TVs to send enormous amounts of traffic towards the victim’s server, until it’s no longer able to service legitimate users. DDoS attacks are a very common tool in a hacking group’s arsenal.
To remain secure, Doctor Web recommends keeping the TV updated, and only using trusted sources to download apps and patches.