A variant of the Mirai botnet [4], known as Pandora [3], has recently been discovered targeting inexpensive Android-based TV sets and TV boxes [2] [3] [4]. This variant specifically focuses on Spanish-speaking users and gains access through malicious firmware updates or when users install applications for streaming pirated video content.


Pandora operates by utilizing a backdoor in the boot.img file, allowing it to persist between system restarts [1] [2] [4] [5]. Once the malicious app is installed, it launches a background service called “GoMediaService” that unpacks files [1] [2] [4] [5], including an interpreter with elevated privileges and an installer for Pandora [1] [2] [4] [5]. The botnet then establishes a connection to a remote server, modifies the hosts file [3], and receives commands to carry out distributed denial-of-service (DDoS) attacks using TCP and UDP protocols. Additionally, it opens a reverse shell [1] [2] [5].

The primary targets of this campaign are low-cost Android TV boxes equipped with quad-core processors [2], such as the Tanix TX6 TV Box [1] [2] [5], MX10 Pro 6K [1] [2] [3] [5], and H96 MAX X3 [1] [2] [3] [5]. To prevent infections, it is crucial for users to regularly update their devices with firmware updates and only download software from trusted sources. Furthermore, it is important to take necessary precautions against DDoS attacks.


The Pandora botnet poses a significant threat to Spanish-speaking users of inexpensive Android-based TV sets and TV boxes. To mitigate the risk of infection [4], users must prioritize keeping their devices up-to-date with firmware updates and exercise caution when downloading software. Additionally, it is essential to implement measures to protect against DDoS attacks. As technology continues to advance, it is crucial for users to remain vigilant and stay informed about potential security threats.


[1] https://jn66dataanalytics.com/news/mirai-botnet-variant-pandora-hijacks-android-tvs-for-cyberattacks-the-hacker-news
[2] https://thehackernews.com/2023/09/mirai-botnet-variant-pandora-hijacks.html
[3] https://www.linkedin.com/posts/wdevault_mirai-botnet-variant-pandora-hijacks-android-activity-7105493085328982016-XTmS
[4] https://cybersec84.wordpress.com/2023/09/07/pandora-botnet-infects-android-tvs-used-in-ddos-attacks/
[5] https://vulners.com/thn/THN:8A94658BA0BCD8BB541D10759B835974