Pandora Malware Targets Budget Android TV Boxes for DDoS Attacks

Security experts at Doctor Web have discovered a malware family called Android.Pandora (hereafter referred to as Pandora), which is based on the well-known Mirai malware. Pandora compromises user devices during firmware updates or when installing apps for illegal video streaming.

The company reports receiving complaints from several users who noticed changes to files in the system area. Their threat monitor detected the following objects in the file system of affected devices:

• /system/bin/pandoraspearrk
• /system/bin/supervisord
• /system/bin/s.conf
• /system/xbin/busybox
• /system/bin/curl

Additionally, two files were found to be modified:

• /system/bin/rootsudaemon.sh
• /system/bin/preinstall.sh

Different files were altered on different devices. Investigation revealed that the script installing the malware searches for system services whose executable code is in .sh files and adds a line to launch the trojan: /system/bin/supervisord -c /system/bin/s.conf &. This ensures the trojan persists in the system and starts after the device reboots.

How Pandora Works

Researchers were particularly interested in the obfuscated file named pandoraspearrk, identified as Android.Pandora.2. Analysis showed that the main purpose of this backdoor is to use the infected device as part of a botnet for DDoS attacks.

The supervisord file is a service that monitors the status of the pandoraspearrk executable and restarts the backdoor if it stops running. Its settings are stored in the s.conf file.

The busybox and curl files are standard versions of these command-line utilities, included to provide network functions and file system operations. The rootsudaemon.sh file launches the daemonsu service with root privileges, as well as the aforementioned supervisord with parameters from s.conf. The preinstall.sh script performs various actions specified by the device manufacturer.

Targeted Devices and Infection Vectors

According to experts, this malware primarily targets users of budget Android TV devices, such as the Tanix TX6 TV Box, MX10 Pro 6K, H96 MAX X3, and several others.

The trojan is a modification of the backdoor Android.Pandora.10 (previously known as Android.BackDoor.334), which was found in a malicious firmware update for the MTX HTV BOX HTV3 TV box dated December 3, 2015. This update was likely distributed from various websites, as it was signed with publicly available Android Open Source Project test keys.

In these cases, firmware updates were either installed by device resellers or users were tricked into downloading them from sites promising unlimited streaming or better compatibility with a wider range of apps.

The service that launches the backdoor is included in the boot image boot.img. The screenshot below (not shown here) demonstrates the launch of the malicious service in the init.amlogic.board.rc file from boot.img.

Malware Spread via Illegal Streaming Apps

The second infection vector for Pandora is the installation of apps from websites offering illegal streaming of movies and TV shows. Researchers cite domains such as youcine, magistv, latinatv, and unitv, which are aimed at Spanish-speaking users.

After installation and launch, the app silently starts the GoMediaService on the device. This service then automatically starts at device boot, calling the gomediad.so program. The analyzed version of this program unpacks several files, including an executable classes.dex, which acts as a command interpreter with elevated privileges.

Other programs on the device can then interact with this command shell via open port 4521. The image below (not shown here) shows the file structure created by gomediad.so, which is detected as Android.Pandora.4, after it is launched.

Among the unpacked files is .tmp.sh, which is the installer for the aforementioned Android.Pandora.2 backdoor. After installation and launch, the backdoor obtains the address of its command-and-control server from command-line parameters or from a file encrypted with the Blowfish algorithm. Upon contacting the server, the backdoor downloads a hosts file, replacing the original system file, initiates a self-update process, and is then ready to receive commands.

Capabilities and Threats

By sending commands to the infected device, attackers can start and stop DDoS attacks using TCP and UDP protocols, perform SYN, ICMP, and DNS floods, open reverse shells, mount Android TV OS system partitions for reading and writing, and more. All these capabilities are implemented using code from the well-known IoT malware Mirai.