Bigpanzi Bot Hacks 170,000+ Android TVs to Launch DDoS Attacks

Android TVs are widely used, and due to their wide adoption, threat actors frequently target them for unauthorized access or data theft.

In Android smart TVs, the vulnerabilities in outdated software or third-party apps can be exploited.

The interconnected nature of the smart or Android TVs makes them potential targets for the threat actors seeking to compromise user privacy or launch broader attacks within home networks.

Cybersecurity researcher Alex.Turing, Acey9, and rootkiter recently discovered more than 170000 Android TVs were hacked by the “Bigpanzi” bot to Launch DDoS attacks.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Bigpanzi Bot Hacks 170,000+ Android TVs

A sneaky ELF sample dubbed “pandoraspear” was recently discovered by security researchers with zero detection on VirusTotal. It primarily hides the C2 domains, but analysts managed to catch them and found 170,000 daily active bots, mainly in Brazil.

Botnet nodes across Brazil (Source -Xlab Qianxin)Botnet nodes across Brazil (Source -Xlab Qianxin)
Botnet nodes across Brazil (Source -Xlab Qianxin)

The group fought back with DDoS and host file manipulations. They aimed at Android devices with malicious scripts and APKs, exposing a major cybercrime syndicate named “Bigpanzi.” 

Their scheme involves luring users to install apps and turning devices into nodes for illegal streaming, DDoS, and piracy. Bigpanzi goes beyond DDoS by hijacking TVs for real-world attacks, like the UAE incident on December 11, 2023, showing conflict footage. 

The Bigpanzi-controlled devices pose a serious threat by broadcasting violent or propaganda content by risking social order.

Security researchers found the downloader domain ak.tknxg.cf in the Pcdn sample. The Google search unveiled two leads, “device upgrade instructions” and “repair guidance.” 

Noteworthy was the YouTube channel:-

  • https[:]//www.youtube[.]com/@customersupportteam49

This YouTube channel was filled with official-sounding device operation videos. FoneStar’s RDS-585WHD page harbored eCos firmware b0a192c6f2bbd7247dfef36665bf6c88, matching Pcdn’s DDoS task names, branding it “official firmware embedded with malware.” 

Discovery of an “official video account” and “official malware-infused firmware” fueled speculation on Bigpanzi’s true identity.

Botnet with 100,000 is likely larger, and Bigpanzi bot infects Android and eCos platforms using three methods.

Here below we have mentioned those three methods:-

  • Pirated movie & TV apps (Android)
Pirated movie & TV apps (Source -Xlab Qianxin)
  • Backdoored generic OTA firmware (Android)
Backdoored generic OTA firmware (Source -Xlab Qianxin)
  • Backdoored “SmartUpTool” firmware (eCos)
Backdoored ‘SmartUpTool’ firmware (Source -Xlab Qianxin)

Moreover, to infect the devices that are running Android or eCos systems,  the Bigpanzi spreads backdoored firmware via several STB, DVB, and IPTV forums.

Countermeasures

Here below, we have mentioned all the countermeasures:-

  • Modified UPX Shell
  • Dynamic Linking
  • OLLVM Techniques
  • Anti-Debugging Mechanism

Besides this, cybersecurity analysts identified “Fl00dce690167abeee4326d5369cceffadaaf,” which is a DDoS Builder. 

The operational interface has a ‘slave’ button for configuration that generates bot samples for STB, Linux, and Windows. Initially doubted Bigpanzi’s DDoS involvement, but DDoS Builder discovery confirms long-term engagement. 

However, no tracked attack commands suggest a focus shift to lucrative content business lines, Android TV, and STBs. The adaptability of Bigpanzi highlighted its evolution in the threat landscape.

Bigpanzi operated covertly and managed to collect wealth for eight years which resulted in a vast network of samples, domains, and IPs. Complex connections exist due to code and infrastructure reuse.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security breach…

3 minutes ago

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…

59 minutes ago

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

15 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

15 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

15 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

15 hours ago