Bigpanzi Bot Hacks 170,000+ Android TVs to Launch DDoS Attacks

Android TVs are widely used, and due to their wide adoption, threat actors frequently target them for unauthorized access or data theft.

In Android smart TVs, the vulnerabilities in outdated software or third-party apps can be exploited.

The interconnected nature of the smart or Android TVs makes them potential targets for the threat actors seeking to compromise user privacy or launch broader attacks within home networks.

Cybersecurity researcher Alex.Turing, Acey9, and rootkiter recently discovered more than 170000 Android TVs were hacked by the “Bigpanzi” bot to Launch DDoS attacks.

Bigpanzi Bot Hacks 170,000+ Android TVs

A sneaky ELF sample dubbed “pandoraspear” was recently discovered by security researchers with zero detection on VirusTotal. It primarily hides the C2 domains, but analysts managed to catch them and found 170,000 daily active bots, mainly in Brazil.

The group fought back with DDoS and host file manipulations. They aimed at Android devices with malicious scripts and APKs, exposing a major cybercrime syndicate named “Bigpanzi.” 

Their scheme involves luring users to install apps and turning devices into nodes for illegal streaming, DDoS, and piracy. Bigpanzi goes beyond DDoS by hijacking TVs for real-world attacks, like the UAE incident on December 11, 2023, showing conflict footage. 

The Bigpanzi-controlled devices pose a serious threat by broadcasting violent or propaganda content by risking social order.

Security researchers found the downloader domain ak.tknxg.cf in the Pcdn sample. The Google search unveiled two leads, “device upgrade instructions” and “repair guidance.” 

Noteworthy was the YouTube channel:-

• https[:]//www.youtube[.]com/@customersupportteam49

This YouTube channel was filled with official-sounding device operation videos. FoneStar’s RDS-585WHD page harbored eCos firmware b0a192c6f2bbd7247dfef36665bf6c88, matching Pcdn’s DDoS task names, branding it “official firmware embedded with malware.” 

Discovery of an “official video account” and “official malware-infused firmware” fueled speculation on Bigpanzi’s true identity.

Botnet with 100,000 is likely larger, and Bigpanzi bot infects Android and eCos platforms using three methods.

Here below we have mentioned those three methods:-

• Pirated movie & TV apps (Android)

• Backdoored generic OTA firmware (Android)

• Backdoored “SmartUpTool” firmware (eCos)

Moreover, to infect the devices that are running Android or eCos systems,  the Bigpanzi spreads backdoored firmware via several STB, DVB, and IPTV forums.

Countermeasures

Here below, we have mentioned all the countermeasures:-

• Modified UPX Shell
• Dynamic Linking
• OLLVM Techniques
• Anti-Debugging Mechanism

Besides this, cybersecurity analysts identified “Fl00dce690167abeee4326d5369cceffadaaf,” which is a DDoS Builder. 

The operational interface has a ‘slave’ button for configuration that generates bot samples for STB, Linux, and Windows. Initially doubted Bigpanzi’s DDoS involvement, but DDoS Builder discovery confirms long-term engagement. 

However, no tracked attack commands suggest a focus shift to lucrative content business lines, Android TV, and STBs. The adaptability of Bigpanzi highlighted its evolution in the threat landscape.

Bigpanzi operated covertly and managed to collect wealth for eight years which resulted in a vast network of samples, domains, and IPs. Complex connections exist due to code and infrastructure reuse.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.