{"id":16826,"date":"2023-09-09T12:07:20","date_gmt":"2023-09-09T12:07:20","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=16826"},"modified":"2024-05-30T21:37:45","modified_gmt":"2024-05-30T21:37:45","slug":"mirai-pandora-infects-android-os","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/mirai-pandora-infects-android-os\/","title":{"rendered":"Mirai variant “Pandora” infects Android TV for DDoS attacks."},"content":{"rendered":"

A new variant of the Mirai malware<\/strong> botnet has been detected, infecting low-cost Android TV set-top boxes. They are extensively used for media streaming by millions of people. The present Trojan is a fresh edition of the ‘Pandora’ backdoor<\/strong> initially identified in 2015, per the analytics.<\/p>\n

The campaign targets low-cost Android TV boxes<\/strong> such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks<\/a>, even in small swarm sizes.<\/p>\n

Mirai Botnet Aims Android-based TV Boxes<\/h2>\n

Mirai Botnet can infect devices<\/a> via malicious firmware updates<\/strong> signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content<\/strong>. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them<\/strong> from websites. Then, they promise unrestricted media streaming or better application compatibility.<\/p>\n

The ‘boot.img<\/code>‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service<\/strong>.<\/p>\n

\"Mirai
Malicious service<\/figcaption><\/figure>\n

The second distribution channel involves the use of pirated content apps<\/strong>. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware<\/strong> variant to infected devices. Here is an example:<\/p>\n

\"Android
Site dropping malware<\/figcaption><\/figure>\n

In this case, the malicious apps surreptitiously start the ‘GoMediaService<\/code>‘ during the initial launch and set it to auto-start when the device boots up.<\/p>\n

When the ‘gomediad.so<\/code>‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1<\/code>‘) and an installer for the Pandora backdoor (‘.tmp.sh<\/code>‘).<\/p>\n

\"gomediad.so\"
GoMedia service structure
<\/figcaption><\/figure>\n

After being activated, the backdoor establishes communication<\/a> with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks<\/strong> using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification<\/strong>, and perform other functionalities.<\/p>\n

IoC Mirai Botnet<\/h2>\n