Both in January and May 2023, disturbing information came to light regarding popular budget Chinese TV Boxes running on the Android mobile system (AOSP). These devices were discovered to come preloaded with malware, and a new variant of the notorious Mirai malware botnet has now emerged, posing a significant threat. Infected are low-cost Android TV boxes like Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3, which feature quad-core processors capable of launching powerful DDoS attacks.
New Mirai malware botnet variant on low-cost Chinese Android TV Boxes – Details
Dr. Web’s antivirus team recently uncovered this new Mirai malware (the current trojan is a new version of the ‘Pandora’ backdoor that first appeared in 2015) botnet, as reported by BleepingComputer. Its primary targets are the low-cost Android TV boxes sold through both major and minor retailers. These boxes, which are in active use by millions of users, possess quad-core processors capable of launching powerful DDoS attacks, even with relatively small swarm sizes.
The Mirai malware variant infiltrates these devices via two main avenues, according to Dr. Web:
Pre-loaded by Manufacturers – In this scenario, the malware is integrated into the firmware updates, either by the device resellers or through deceptive tactics where users are tricked into downloading these updates from websites promising unrestricted media streaming or better application compatibility.
Malicious Apps for Pirated Content – The second distribution channel involves malicious apps that claim to provide free or low-cost access to copyrighted TV shows and movies. These apps are enticing to users seeking access to premium content without proper authorization.
The malware, once on the compromised devices, persists within the ‘boot.img,’ which contains components loaded during the Android system boot-up, ensuring its persistence. This stealthy mechanism allows the malware to operate discreetly in the background.
In the case of malicious apps, the malware establishes persistence during the first app launch. It initiates the ‘GoMediaService,’ running surreptitiously in the background and auto-starting on device boot. This service triggers the ‘gomediad.so’ program, which unpacks various files, including a command-line interpreter with elevated privileges (‘Tool.AppProcessShell.1’) and an installer for the Pandora backdoor (‘.tmp.sh’).
Once active, the Pandora backdoor establishes communication with its Command and Control (C2) server, replacing the HOSTS file, updating itself, and then going into standby mode, awaiting commands from its operators.
The Mirai variant is a potent threat, capable of launching DDoS attacks through TCP and UDP protocols. It can generate SYN, ICMP, and DNS flood requests, open a reverse shell, mount system partitions for modification, and execute other malicious activities.
These budget-friendly Android TV boxes often have an uncertain journey from the manufacturer to the end-user, making it challenging for consumers to ascertain their origins, firmware alterations, and potential exposure to preloaded malware. Even for cautious users who retain the original ROM and exercise caution in app installations, there remains a lingering risk of devices arriving with preloaded malware.
It is safer to use certified devices of “big players”
It’s important to note that these Android TV boxes are not powered by Android TV (or Google TV) certified by Google; rather, they run on mobile Android, specifically the Android Open Source Project (AOSP). This distinction allows the manufacturers to modify the software and customize the user interface, unlike officially licensed Android TV and Google TV boxes that adhere to Google’s mandated user interface.
In light of these security concerns, it is advisable to opt for streaming devices from trusted brands such as Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, or Roku Stick, which are known for their robust security measures and commitment to user safety.