A large-scale cybercrime operation has been discovered that is targeting Android TVs, eCos devices, and set-top boxes in order to ensnare the compromised devices in a DDoS botnet.
Named ‘Bigpanzi’ by experts with Chinese cybersecurity firm Qianxin X Laboratory, the cybercriminal gang has been active since 2015. Unlike other botnets spreading via zero-day or N-day vulnerabilities, Bigpanzi delivers malware through pirated movie and TV apps or firmware updates containing a backdoor.
The researchers said they discovered around 170,000 Android TVs infected with unknown malware, mainly located in Brazil, although it might be just the tip of the iceberg. Qianxin believes that Bigpanzi is the same threat actor behind the Pandora botnet first spotted in September 2023.
“Bigpanzi's menace extends beyond the infamous DDoS attacks. It can misuse controlled Android TVs and set-top boxes to disseminate any form of visual or audio content, unbound by legal constraints,” the report said.
The investigation into the gang began after the researchers spotted a suspicious ELF file on VirusTotal named ’pandoraspear.’ An analysis revealed nine hardcoded command-and-control domain names, two of which the researchers were able to hijack. They observed a peak of 170,000 daily active bots. The group retaliated with DDoS attacks to force the domains offline and manipulated the hosts files of the infected devices, limiting the researchers’ ability to track the gang’s activities.
Bigpanzi is not the first cybercriminal gang to abuse smart TVs and set-top boxes for nefarious purposes. Last year, a vast ad fraud botnet was discovered that involved thousands of cheap Android-based mobile phones, tablets, and TV boxes infected with the Triada backdoor. The goal of the operation dubbed “Peachpit” was to install malicious apps on the infected devices that would display unwanted ads.
In May, Trend Micro shed light on another cybercrime enterprise known as Lemon Group that was using millions of pre-infected Android smartphones worldwide to carry out their malicious operations.