This variant is an evolution of the ‘Pandora’ backdoor, first identified in 2015. Its primary focus is on affordable Android TV boxes like the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3, which are equipped with quad-core processors capable of launching potent DDoS attacks, even in small swarm sizes.The malware reaches these devices through two distribution channels.
First, malicious firmware updates signed with publicly available test keys are installed either by device resellers or by tricking users into downloading them from websites promising unrestricted media streaming or enhanced application compatibility. The second channel involves pirated content apps that offer access to copyrighted TV shows and movies either for free or at a minimal cost.
Furthermore, these apps secretly launch the ‘GoMediaService’ in the background during their first use, setting it to auto-start on device boot. Once active, the Mirai variant communicates with a command and control (C2) server, replaces the HOSTS file, updates itself, and enters standby mode, awaiting commands from its operators.
This malware is capable of executing DDoS attacks over TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests, as well as opening a reverse shell and modifying system partitions.
The targeting of budget-friendly Android TV boxes is concerning due to their murky origins and potential for preloaded malware, even for cautious users who retain the original ROM. Users are urged to exercise caution and prioritize device security.