Bigpanzi Bot has successfully hacked over 170,000 Android TVs in order to initiate DDoS attacks.

Android TVs are extensively utilized, and as a result of their widespread usage, malicious individuals often aim to compromise them for unauthorized entry or data pilferage.

In the case of Android smart TVs, the security weaknesses present in outdated software or third-party applications can be manipulated for exploitation.

The potential vulnerability of smart or Android TVs to cyber threats makes them attractive targets for malicious actors aiming to exploit user privacy or carry out larger-scale attacks on home networks.

A group of cybersecurity experts, including Alex.Turing, Acey9, and rootkiter, have recently uncovered a shocking revelation. Over 170,000 Android TVs have fallen victim to the “Bigpanzi” bot, which has been utilized to launch devastating DDoS attacks.

170,000+ Android TVs have been hacked by the Bigpanzi Bot.

Botnet nodes across Brazil

Botnet nodes across Brazil (Source -Xlab Qianxin)

The group retaliated by employing DDoS attacks and manipulating host files. Their primary targets were Android devices, which they infected with malicious scripts and APKs, thereby exposing a significant cybercrime organization known as “Bigpanzi.”

The modus operandi of this syndicate involves enticing users to install certain applications, which then transform their devices into nodes for illegal streaming, DDoS attacks, and piracy. However, Bigpanzi takes their activities a step further by hijacking televisions to carry out real-world attacks, as demonstrated in the UAE incident on December 11, 2023, where they broadcasted conflict footage.

The devices controlled by Bigpanzi pose a grave threat as they disseminate violent and propaganda content, thereby jeopardizing social order.

During their investigation, security researchers discovered the downloader domain in the Pcdn sample. Further Google searches revealed two potential leads: “device upgrade instructions” and “repair guidance.”

Of particular interest was a YouTube channel located at https[:]//[.]com/@customersupportteam49. This channel contained numerous videos that appeared to be official device operation guides. Additionally, the eCos firmware b0a192c6f2bbd7247dfef36665bf6c88, found on FoneStar’s RDS-585WHD page, matched the DDoS task names associated with Pcdn, leading to suspicions that it was “official firmware embedded with malware.”

The discovery of an “official video account” and “official malware-infused firmware” only fueled speculation regarding the true identity of Bigpanzi.

It is highly likely that the botnet controlled by Bigpanzi is even larger, potentially consisting of 100,000 infected devices. Furthermore, this botnet infects both Android and eCos platforms using three distinct methods.

Here below we have mentioned those three methods:-

  • Unauthorized movie and TV applications (Android)
  • Compromised OTA firmware with Android backdoor.
  • The “SmartUpTool” firmware has a compromised backdoor (eCos).

Furthermore, in order to infect Android or eCos systems, the Bigpanzi malware spreads compromised firmware through various STB, DVB, and IPTV forums.

To combat this threat, the following countermeasures have been identified:

  1. Modified UPX Shell: This technique involves modifying the UPX shell to prevent the execution of malicious code.
  2. Dynamic Linking: By utilizing dynamic linking, the system can detect and prevent the execution of malicious code.
  3. OLLVM Techniques: OLLVM techniques are employed to obfuscate the code and make it difficult for attackers to analyze and exploit.
  4. Anti-Debugging Mechanism: An anti-debugging mechanism is implemented to prevent attackers from analyzing the malware and identifying vulnerabilities.

In addition to these countermeasures, cybersecurity analysts have discovered a DDoS Builder known as “Fl00dce690167abeee4326d5369cceffadaaf.” This builder has a configuration interface with a ‘slave’ button that generates bot samples for STB, Linux, and Windows. Initially, there were doubts about Bigpanzi’s involvement in DDoS attacks, but the discovery of this DDoS Builder confirms its long-term engagement in such activities.

However, there have been no tracked attack commands indicating a shift in focus towards lucrative content business lines, such as Android TV and STBs. The adaptability of Bigpanzi has been highlighted, showcasing its evolution in the ever-changing threat landscape.

Operating covertly for eight years, Bigpanzi has managed to accumulate significant wealth, resulting in a vast network of samples, domains, and IPs. The existence of complex connections is attributed to the reuse of code and infrastructure.