Researchers have discovered over 100,000 Android TVs and set-top boxes infected with unknown malware, which is being spread via pirated movie and TV apps and backdoored firmware. They warn that this may be just the tip of the iceberg.
Cyber threat analysts from Chinese Qianxin X Laboratory uncovered a large-scale cybercrime syndicate operating in Brazil, targeting Android TVs, set-top boxes, and eCos devices. They named the gang Bigpanzi due to their enormous scale and previously unknown malware, which comes with the filename “pandoraspear.”
Malware comes loaded with weaponization tools for distributed denial of service (DDoS) attacks, turning TVs into zombies in a large botnet. Compromised devices also transform into operational nodes for illicit streaming, catering to services such as traffic proxying, over-the-top (OTT) content provision, and other pirate traffic.
“Bigpanzi's menace extends beyond the infamous DDoS attacks. It can misuse controlled Android TVs and set-top boxes to disseminate any form of visual or audio content, unbound by legal constraints,” says the report.
They provided an example of a similar real-world incident, when a network attack on set-top boxes in the UAE on December 11th, 2023, substituted regular broadcasts with footage of the Israel-Palestine conflict.
To investigate the gang, researchers obtained a sample of malware on VirusTotal to find the hardcoded nine command and control (C2) servers that the crime ring used.
With two expired domains, researchers “seized this opportunity to register these domains,” effectively hijacking two of the nine C2 servers. They observed a peak of 170,000 daily bots, predominantly from Brazil, connecting daily. The gang retaliated by launching DDoS attacks and other means, but researchers “didn’t engage much in this confrontation.”
“As our investigation and source tracing deepened, a major cybercrime syndicate, active since 2015, gradually surfaced. This syndicate primarily targets Android OS TVs and set-top boxes, as well as eCos OS set-top boxes,” the Qianxin report reads.
They warn that zombified TVs and set-top boxes may broadcast violent, terroristic, or pornographic content or employ increasingly convincing AI-generated videos for political propaganda, thus posing “a significant threat to social order and stability.”
The true scale of the operation may be a lot larger. The observation efforts were limited to just two C2 servers, and usually, TVs and other devices might not be powered on 24/7.
“The botnet nodes are predominantly distributed across Brazil, amassing over 1.3 million distinct IPs since August,” the researchers noted.
What do we know about Bigpanzi?
According to the report, the gang’s modus operandi involves enticing users with free or cheap audio-visual apps or firmware updates embedding backdoor components. The gang lures victims with firmware offers on online forums and other unofficial channels.
Researchers claim that the Bigpanzi cybercrime syndicate has been operating since 2015. They noted that despite the DDoS functionality, there were no commands for such activity during the observation period. That may signal that the gang shifted its focus to the more profitable streaming content when operations expanded.
“However, the discovery of this DDoS Builder tool, coupled with the observed pattern of DDoS attacks initiated upon the resolution of hijacked C2 domain names, confirms the group's long-term engagement in unlawful DDoS activities,” researchers write.
Together with pandoraspear malware, which establishes DNS hijacking and communicates with C2 servers to execute commands, the gang uses other malware for peer-to-peer content distribution.
“Since we started tracking their commands, we've been quietly collecting evidence and steadily working to trace Bigpanzi's origins, with the ultimate goal of delivering a decisive strike against them,” the report reads.
Qianxin researchers even found that the infected firmware with identical DDoS task and method names was available for download on the official website of Spanish manufacturer FoneStar.
Pandoraspear has been continuously evolving since 2015 – the latest captured version was numbered as the 10th. Cybercriminals are also using Amazon Cloud services for malware update deliveries.
The analysts also uncovered persistence mechanisms, such as hijacking HOSTS files and novel encryption methods.
“Over the past eight years, Bigpanzi has been operating covertly, silently amassing wealth from the shadows. With the progression of their operations, there has been a significant proliferation of samples, domain names, and IP addresses,” researchers conclude.
“In the face of such a large and intricate network, our findings represent just the tip of the iceberg in terms of what Bigpanzi encompasses.”
More from Cybernews:
Subscribe to our newsletter