Bigpanzi cybercriminal syndicate infected at least 170,000 Android TVs with malware

Bigpanzi cybercriminal syndicate infected at least 170,000 Android TVs with malware

A large-scale cybercrime operation has been discovered that is targeting Android TVs, eCos devices, and set-top boxes in order to ensnare the compromised devices in a DDoS botnet.

Named ‘Bigpanzi’ by experts with Chinese cybersecurity firm Qianxin X Laboratory, the cybercriminal gang has been active since 2015. Unlike other botnets spreading via zero-day or N-day vulnerabilities, Bigpanzi delivers malware through pirated movie and TV apps or firmware updates containing a backdoor.

The researchers said they discovered around 170,000 Android TVs infected with unknown malware, mainly located in Brazil, although it might be just the tip of the iceberg. Qianxin believes that Bigpanzi is the same threat actor behind the Pandora botnet first spotted in September 2023.

“Bigpanzi's menace extends beyond the infamous DDoS attacks. It can misuse controlled Android TVs and set-top boxes to disseminate any form of visual or audio content, unbound by legal constraints,” the report said.

The investigation into the gang began after the researchers spotted a suspicious ELF file on VirusTotal named ’pandoraspear.’ An analysis revealed nine hardcoded command-and-control domain names, two of which the researchers were able to hijack. They observed a peak of 170,000 daily active bots. The group retaliated with DDoS attacks to force the domains offline and manipulated the hosts files of the infected devices, limiting the researchers’ ability to track the gang’s activities.

Bigpanzi is not the first cybercriminal gang to abuse smart TVs and set-top boxes for nefarious purposes. Last year, a vast ad fraud botnet was discovered that involved thousands of cheap Android-based mobile phones, tablets, and TV boxes infected with the Triada backdoor. The goal of the operation dubbed “Peachpit” was to install malicious apps on the infected devices that would display unwanted ads.

In May, Trend Micro shed light on another cybercrime enterprise known as Lemon Group that was using millions of pre-infected Android smartphones worldwide to carry out their malicious operations.


Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Popular Posts
Featured vulnerabilities
Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace
Сritical Patched | 09 May, 2025
Inefficient regular expression complexity in Koa.js koa
Сritical Patched | 09 May, 2025
Cross-site scripting in IFrame Remove Filter module for Drupal
Low Patched | 09 May, 2025
MitM attack in Erlang OTP SSH
Low Patched | 09 May, 2025
Stored cross-site scripting in Klaro Cookie & Consent Management module for Drupal
Low Patched | 09 May, 2025