Vast botnet hijacks smart TVs for prime-time cybercrime

8-year-old op responsible for DDoS attacks and commandeering broadcasts to push war material

Updated Security researchers have pinned a DDoS botnet that's infected potentially millions of smart TVs and set-top boxes to an eight-year-old cybercrime syndicate called Bigpanzi.

At least 170,000 bots were running daily at the campaign's height after infecting Android-based TVs and other streaming hardware via pirated apps and firmware updates.

A common infection scenario would see a user visit a dodgy streaming site while browsing on their smartphone, only to then be pushed into downloading the associated malicious app to their Android-based smart TV.

A user would then have their device backdoored and its resources made available for use in various cybercrimes, including DDoS attacks and hijacking other streams, replacing other channels' content with an attacker's.

Such a case happened in the United Arab Emirates back in December 2023, for example, where regular broadcasts were hijacked with imagery from inside the conflict between Israel and Palestine.

"The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability," said researchers at Chinese security biz Qianxin.

The researchers didn't detail the history of the botnet's DDoS activity or blame it for any high-profile attacks, but to get a feel for what it's capable of, its DDoS commands are inherited from the infamous Mirai.

Qianxin's investigation revealed the malware, called pandoraspear, added 11 different Mirai-related DDoS attack vectors to its list of commands after the first few versions had comparably weaker tools in this area.

As we all know, Mirai was responsible for some of the most high-profile DDoS attacks from yesteryear, including those on Dyn, GitHub, Reddit, and Airbnb – all falling on that one October 2016 day that broke the internet (not in the viral sensation kind). It's also a malware that just keeps cropping up and is under active development to this day.

In trying to trace the identity of those behind pandoraspear, Qianxin's researchers eventually narrowed their search down to a single company but didn't disclose it in their report.

Bigpanzi and the pandoraspear malware have been active since at least 2015.

Work to trace Bigpanzi is still ongoing and the researchers' "ultimate goal" is to deliver "a decisive strike against them."

Bigpanzi's efforts have been concentrated in Brazil, São Paulo mainly, the city where many of the 170,000 bots were identified at the campaign's peak.

The scale of the botnet was only realized when two of the nine domains used for the botnet's command and control (C2) infrastructure expired, allowing the researchers to register those domains for themselves and have a peek at how it was being run.

The criminals didn't take too kindly to the researchers hijacking their domains and responded by forcing them offline. 

"Upon realizing that we had secured their domains, the group countered aggressively," the researchers wrote. "They bombarded our domains with DDoS attacks to force them offline and manipulated the hosts files of the infected devices. 

"This strategy redirects certain domain names to specific IP addresses, bypassing the normal DNS resolution process used to find the IP addresses of command and control domains. This greatly limits our ability to observe and track them.

"We didn't engage much in this confrontation, voluntarily ceased resolving, and consequently lost this perspective."

It's thought the group has recently shifted its DDoS operations to a separate botnet they control, using this for more lucrative cybercrimes such as running it as a content delivery network.

"This strategic shift underscores the adaptability and evolving nature of cybercrime syndicates like Bigpanzi," the researchers added.

The botnet is thought to be larger than the six-figure size recorded at its August peak. The researchers said infected devices, given they're consumer-grade in nature, aren't likely to be powered on every second of every day, leading to oversights.

They were also only able to hijack two of the nine C2 and malware-downloader domains, meaning their visibility into the operation is limited.

"In the face of such a large and intricate network, our findings represent just the tip of the iceberg in terms of what Bigpanzi encompasses," the researchers said. "There's a vast amount of tracing and investigative work still to be undertaken. 

"The analysis presented in this article is but a faint light in the darkness, illuminating a small part of the shadowy existence of Bigpanzi. We welcome insights from the cybersecurity community and invite collaboration from those with the motivation and capability to manage such threats. Together, there's an opportunity to combat the Bigpanzi group and contribute to maintaining cybersecurity." ®

Update at 10.20 UTC on January 19, 2024, to add:

In a statement, Google said:

“These devices found to be infected appear to be Android Open Source Project (AOSP) devices, which means that anyone can download and modify the code. Android TV is Google's operating system for smart TVs and streaming devices. It is proprietary, which means that only Google and its licensed partners can modify the code.

"If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”

More about


Send us news

Other stories you might like