New variant of Mirai botnet infects Android TV set-top boxes

A new variant of the Mirai malware has been detected infecting low-cost Android TV set-top boxes, which are very popular in the media streaming industry. This new version of the “Pandora” backdoor was discovered by Dr. Web's antivirus team, and was first identified in 2015. The botnet mainly targets devices such as Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3 , equipped with quad-core processors that allow you to launch powerful DDoS attacks, even in small swarms.

Malware distribution methods

The malware spreads via a malicious firmware update, signed with publicly available proof keys. Furthermore, it is distributed through malicious apps present on domains that target users interested in pirated content. Firmware updates are installed by device vendors or are downloaded by users from websites that promise unlimited media streaming or better compatibility with different applications. Additionally, pirated content apps that promise access to copyrighted TV shows and movies for free or at low cost are another distribution vehicle for this Mirai malware variant.

How the malware works

Once the device is infected, the malware exploits the "boot.img" file for high persistence. This file contains the kernel and ramdisk components that are loaded during Android system startup. The malware runs in the background without the user's knowledge and communicates with a C2 server. Furthermore, it replaces the HOSTS file, allowing the malware to perform DDoS attacks on TCP and UDP protocols, generating SYN, ICMP and DNS Flood requests. The backdoor can also open a reverse shell, mount system partitions for modification, and more.

Tips for protecting yourself from infections

Cheap Android set-top box devices pose a significant risk to users, as they often come from untrusted sources and can arrive with malware pre-loaded. To ensure greater security, it is advisable to opt for streaming devices from trusted brands such as Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV and Roku Stick. Furthermore, it is important to avoid installing apps from unofficial or suspicious sources and always keep your devices' firmware updated. Finally, it is essential to raise user awareness of the risks associated with using pirated content and promote the importance of using legal and authorized services for multimedia streaming.