A recent discovery revealed a new variant of the Mirai malware botnet targeting affordable Android TV set-top boxes, commonly utilized by a vast number of people for media consumption.

This information came to light through the diligent research of Dr. Web’s antivirus unit. They indicated that this trojan is an evolved version of the ‘Pandora’ backdoor, which initially made its debut in 2015.

Primarily, devices such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3 – all of which are equipped with robust quad-core processors – are at the forefront of this malicious campaign. These processors enable the devices to execute potent DDoS attacks even with a minimal number of devices involved.

Unpacking the Threat

It was conveyed by Dr. Web that this malware finds its way to the devices through two principal methods: either a deceptive firmware update that uses easily accessible test keys or via rogue apps on domains tailored to entice users keen on unauthorized content.

When considering the former, these firmware updates are installed either by third-party sellers or by unsuspecting users who are lured into downloading them from online platforms, enticing them with promises of unrestrained media access or improved application compatibility.

This malicious operation is embedded in ‘boot.img,’ which incorporates the kernel and ramdisk components triggered during the Android system start-up. This makes it an effective method for ensuring its continued presence.

The alternative route for this malware involves apps that offer copyrighted TV series and films either for free or for a nominal amount.

Dr. Web highlighted several Android applications associated with disseminating this Mirai malware variant.

Upon its initiation, this malware secures its persistence by activating the ‘GoMediaService’ covertly in the device’s background and configuring it to launch automatically during system start-up.

This service activates the ‘gomediad.so’ program, which in turn deciphers multiple files. This includes a command interpreter operating with higher privileges and an installer specifically designed for the Pandora backdoor.

Once it’s operational, the backdoor establishes communication with its command and control server, modifies the HOSTS file, refreshes its content, and waits, ready to receive further instructions from its controllers.

The malware is capable of conducting DDoS attacks, using both TCP and UDP protocols. This involves creating SYN, ICMP, and DNS flood requests, and also involves operations like launching a reverse shell, altering system partitions, and more.

The Risks of Budget Devices

Cost-effective Android TV boxes have a rather obscure route from their production site to the end-user. This often results in potential consumers being uninformed about their actual source, possible firmware modifications, and the various intermediaries involved.

Even for those users who maintain the original ROM and are judicious about the apps they install, there remains an inherent risk of these devices being delivered with pre-installed malware.

With these concerns in mind, the suggestion is to favor streaming devices from established brands such as Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.