Thousands of Android TV boxes hit by dangerous new malware-dropping botnet

 How to connect a phone to your TV.
How to connect a phone to your TV.

A group of hackers has been secretly building a botnet of smart TV and eCos set-top boxes, and then monetizing the access to earn masses of wealth, researchers have warned.

Cybersecurity experts from Qianxin Xlabs dubbed the operation “Bigpanzi”, and claim there are some 170,000 daily active bots.

Given that not all endpoints are active at the same time, the botnet is expected to be much larger, with researchers claiming to have seen 1.3 million unique IP addresses since August 2023.

Tip of the iceberg

To infect the devices with malware, the criminals trick the victims into downloading malicious apps themselves, a separate report from Dr. Web says. The apps, which haven’t been named, drop two malware variants: pandoraspear, and pcdn. While one acts as a trojan and allows the attackers to hijack DNS settings and run commands, the other helps build a peer-to-peer (P2P) Content Distribution Network (CDN) and can mount Distributed Denial of Service (DDoS) attacks.

The campaign is active since 2015, the researchers claim, with most victims apparently being located in Brazil. "Over the past eight years, Bigpanzi has been operating covertly, silently amassing wealth from the shadows," Xlabs said in its report. "With the progression of their operations, there has been a significant proliferation of samples, domain names, and IP addresses."

"In the face of such a large and intricate network, our findings represent just the tip of the iceberg in terms of what Bigpanzi encompasses."

There are a number of things Bigpanzi’s operators can do with infected devices. Most notably, they can turn the compromised set-top boxes into nodes and offer them as part of an illegal media streaming service. Furthermore, they can offer traffic proxy networks for hire, and mount DDoS attacks to whoever is happy to pay. Finally, they can use the botnet for OTT content provision.

Edit, January 19 - After the publication of this article, a Google spokesperson reached out with the following statement:

“These devices found to be infected appear to be Android Open Source Project (AOSP) devices, which means that anyone can download and modify the code. Android TV is Google's operating system for smart TVs and streaming devices. It is proprietary, which means that only Google and its licensed partners can modify the code.

If a device isn't 
Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”

Via BleepingComputer

More from TechRadar Pro