A group of hackers has been secretly building a botnet of smart TV and eCos set-top boxes, and then monetizing the access to earn masses of wealth, researchers have warned.
Cybersecurity experts from Qianxin Xlabs dubbed the operation “Bigpanzi”, and claim there are some 170,000 daily active bots.
Given that not all endpoints are active at the same time, the botnet is expected to be much larger, with researchers claiming to have seen 1.3 million unique IP addresses since August 2023.
Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.
Preferred partner (What does this mean?)
Tip of the iceberg
To infect the devices with malware, the criminals trick the victims into downloading malicious apps themselves, a separate report from Dr. Web says. The apps, which haven’t been named, drop two malware variants: pandoraspear, and pcdn. While one acts as a trojan and allows the attackers to hijack DNS settings and run commands, the other helps build a peer-to-peer (P2P) Content Distribution Network (CDN) and can mount Distributed Denial of Service (DDoS) attacks.
The campaign is active since 2015, the researchers claim, with most victims apparently being located in Brazil. "Over the past eight years, Bigpanzi has been operating covertly, silently amassing wealth from the shadows," Xlabs said in its report. "With the progression of their operations, there has been a significant proliferation of samples, domain names, and IP addresses."
"In the face of such a large and intricate network, our findings represent just the tip of the iceberg in terms of what Bigpanzi encompasses."
There are a number of things Bigpanzi’s operators can do with infected devices. Most notably, they can turn the compromised set-top boxes into nodes and offer them as part of an illegal media streaming service. Furthermore, they can offer traffic proxy networks for hire, and mount DDoS attacks to whoever is happy to pay. Finally, they can use the botnet for OTT content provision.
Edit, January 19 - After the publication of this article, a Google spokesperson reached out with the following statement:
“These devices found to be infected appear to be Android Open Source Project (AOSP) devices, which means that anyone can download and modify the code. Android TV is Google's operating system for smart TVs and streaming devices. It is proprietary, which means that only Google and its licensed partners can modify the code.
If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”
More from TechRadar Pro
- FBI warns criminals are building a dangerous new botnet — and it's after your Microsoft or AWS logins and more
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.