A new threat to Android devices named android[.]pandora has been identified that compromises the devices when pirated video content is installed or during firmware updates.
This malware belongs to the variant of Mirai Trojan, which has been used to infect smart devices and utilize a network of remotely controlled bots or “zombies” to launch DDOS.
Doctor Web has identified this malware as Android.Pandora.10 and its capabilities and shared the detailed report on its official page.
This malware targets users of Android TV-based devices with lower prices, especially users of the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.
Once the machine gets infected, it changes the files in the system directory, and the below objects have been installed to launch the trojan
- /system/bin/pandoraspearrk
- /system/bin/supervisord
- /system/bin/s.conf
- /system/xbin/busybox
- /system/bin/curl
Pandoraspearrk – Identified in the virus database as the Android[.]Pandora[.]2 backdoors and used to perform DDoS.
The supervisord – monitors the status of the pandoraspearrk executable and restarts the backdoor if it is terminated.
s.conf – stored the settings for Supervisord
The busybox and curl command-line utilities with the same name are included for networking and file system operations.
This malware can be installed as part of a firmware update available for download on several places as Android Open Source Project test keys.
Installing pirated movie and TV apps is an alternative way malware invades Android devices.
Once launched successfully, the device’s malicious programs can interact with open ports.
The backdoor downloads a host’s file to replace the original system file, starts the self-update process and becomes ready to receive commands.
By sending commands to an infected device, attackers can launch and stop DDoS attacks over the TCP and UDP protocols, perform SYN, ICMP, and DNS flood, open a reverse shell, mount Android TV system partitions in read/write mode, and so on.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.