Bigpanzi Botnet Infects Over 170,000 Smart TVs and TV Boxes
Beijing-based cybersecurity company Qianxin Xlabs has issued a warning that the hacker group Bigpanzi has been infecting Android-based smart TVs and eCos-based TV boxes worldwide with malware since 2015. It is believed that the group currently controls a large botnet consisting of around 170,000 active devices each day.
Bigpanzi infects devices through firmware or app updates that users install themselves. This threat was previously reported in the fall of 2023 by analysts at Doctor Web, who track it under the identifier Android.Pandora.
Malicious Applications
Hackers monetize the infected devices by turning them into nodes for illegal streaming platforms, traffic proxying, DDoS attacks, and OTT content distribution. The Qianxin Xlabs report highlights two malicious tools used by Bigpanzi: pandoraspear and pcdn.
Malicious Files in Firmware
Pandoraspear acts as a backdoor trojan that changes DNS settings, establishes a connection with a command-and-control server, and can execute commands received from its operators. The malware supports a wide range of commands, allowing it to manipulate DNS settings, launch DDoS attacks, update itself, create reverse shells, manage communication with the control server, and execute arbitrary commands.
Pandoraspear uses a modified UPX Shell, dynamic linking, OLLVM compilation, and various anti-debugging mechanisms to evade detection. Pcdn, on the other hand, is used to create a P2P content delivery network (CDN) on infected devices and also has capabilities for conducting DDoS attacks.
Built-in DDoS Functionality in Pcdn
Chinese researchers gained insight into the size of the botnet by taking control of two of the group’s C&C domains and monitoring them for a week. Analysts report that at peak times, the Bigpanzi botnet includes up to 170,000 active bots, and since August of last year, more than 1.3 million unique IP addresses have been associated with it, most of which were located in Brazil.
Since compromised devices are not always active at the same time and the researchers’ capabilities were limited, it is assumed that the real size of the botnet is much larger.
“For eight years, Bigpanzi has operated covertly, quietly and steadily increasing its wealth. As their operations have expanded, the number of malware samples, domain names, and IP addresses has grown significantly. In such a large and tangled network, our findings represent only the tip of the iceberg,” the experts concluded.