Wednesday, November 13, 2024
HomeAndroidBigpanzi Bot Hacks 170,000+ Android TVs to Launch DDoS Attacks

Bigpanzi Bot Hacks 170,000+ Android TVs to Launch DDoS Attacks

Published on

Malware protection

Android TVs are widely used, and due to their wide adoption, threat actors frequently target them for unauthorized access or data theft.

In Android smart TVs, the vulnerabilities in outdated software or third-party apps can be exploited.

The interconnected nature of the smart or Android TVs makes them potential targets for the threat actors seeking to compromise user privacy or launch broader attacks within home networks.

- Advertisement - SIEM as a Service

Cybersecurity researcher Alex.Turing, Acey9, and rootkiter recently discovered more than 170000 Android TVs were hacked by the “Bigpanzi” bot to Launch DDoS attacks.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Bigpanzi Bot Hacks 170,000+ Android TVs

A sneaky ELF sample dubbed “pandoraspear” was recently discovered by security researchers with zero detection on VirusTotal. It primarily hides the C2 domains, but analysts managed to catch them and found 170,000 daily active bots, mainly in Brazil.

Botnet nodes across Brazil (Source -Xlab Qianxin)
Botnet nodes across Brazil (Source -Xlab Qianxin)

The group fought back with DDoS and host file manipulations. They aimed at Android devices with malicious scripts and APKs, exposing a major cybercrime syndicate named “Bigpanzi.” 

Their scheme involves luring users to install apps and turning devices into nodes for illegal streaming, DDoS, and piracy. Bigpanzi goes beyond DDoS by hijacking TVs for real-world attacks, like the UAE incident on December 11, 2023, showing conflict footage. 

The Bigpanzi-controlled devices pose a serious threat by broadcasting violent or propaganda content by risking social order.

Security researchers found the downloader domain ak.tknxg.cf in the Pcdn sample. The Google search unveiled two leads, “device upgrade instructions” and “repair guidance.” 

Noteworthy was the YouTube channel:-

  • https[:]//www.youtube[.]com/@customersupportteam49

This YouTube channel was filled with official-sounding device operation videos. FoneStar’s RDS-585WHD page harbored eCos firmware b0a192c6f2bbd7247dfef36665bf6c88, matching Pcdn’s DDoS task names, branding it “official firmware embedded with malware.” 

Discovery of an “official video account” and “official malware-infused firmware” fueled speculation on Bigpanzi’s true identity.

Botnet with 100,000 is likely larger, and Bigpanzi bot infects Android and eCos platforms using three methods.

Here below we have mentioned those three methods:-

  • Pirated movie & TV apps (Android)
Pirated movie & TV apps (Source -Xlab Qianxin)
Pirated movie & TV apps (Source -Xlab Qianxin)
  • Backdoored generic OTA firmware (Android)
Backdoored generic OTA firmware (Source -Xlab Qianxin)
Backdoored generic OTA firmware (Source -Xlab Qianxin)
  • Backdoored “SmartUpTool” firmware (eCos)
Backdoored 'SmartUpTool' firmware (Source -Xlab Qianxin)
Backdoored ‘SmartUpTool’ firmware (Source -Xlab Qianxin)

Moreover, to infect the devices that are running Android or eCos systems,  the Bigpanzi spreads backdoored firmware via several STB, DVB, and IPTV forums.

Countermeasures

Here below, we have mentioned all the countermeasures:-

  • Modified UPX Shell
  • Dynamic Linking
  • OLLVM Techniques
  • Anti-Debugging Mechanism

Besides this, cybersecurity analysts identified “Fl00dce690167abeee4326d5369cceffadaaf,” which is a DDoS Builder. 

The operational interface has a ‘slave’ button for configuration that generates bot samples for STB, Linux, and Windows. Initially doubted Bigpanzi’s DDoS involvement, but DDoS Builder discovery confirms long-term engagement. 

However, no tracked attack commands suggest a focus shift to lucrative content business lines, Android TV, and STBs. The adaptability of Bigpanzi highlighted its evolution in the threat landscape.

Bigpanzi operated covertly and managed to collect wealth for eight years which resulted in a vast network of samples, domains, and IPs. Complex connections exist due to code and infrastructure reuse.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...

Ivanti Warns of Critical Vulnerabilities in Connect Secure, Policy Secure & Secure Access

Ivanti, the well-known provider of IT asset and service management solutions, has issued critical...

Thousands of EOL D-Link Routers Vulnerable to Password Change Attacks

In a critical security disclosure, it has been revealed that thousands of end-of-life (EOL)...

Crafting A Successful Crypto Investment Thesis: Strategies For Long-Term Growth 

Diving into the world of crypto investments has been one of the most exhilarating...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...

Ivanti Warns of Critical Vulnerabilities in Connect Secure, Policy Secure & Secure Access

Ivanti, the well-known provider of IT asset and service management solutions, has issued critical...

Thousands of EOL D-Link Routers Vulnerable to Password Change Attacks

In a critical security disclosure, it has been revealed that thousands of end-of-life (EOL)...