Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230


Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230



Added to the Dr.Web virus database: 2023-03-10

Virus description added:

SHA1: 14215a93ed5d0a86f31aab0b2d7be6db8a45a371


Android.Pandora.2 is a backdoor trojan designed to target Android devices. Its main functionality includes carrying out DDoS attacks and executing remote commands on a victim's device.

Operating routine

The Android.Pandora.2 malicious program was discovered during an investigation into cases of infection occurring in the system partition of an Android TV box model. The infection itself presumably occurred via an unpatched Android OS vulnerability exploitation.

The backdoor is installed into the system storage area with a number of additional components. During the infection analysis, the following files were identified:

  • /system/bin/pandoraspearrk;
  • /system/bin/supervisord;
  • /system/bin/ (in some cases, the file can be installed, instead of the;
  • /system/bin/s.conf;
  • /system/xbin/busybox;
  • /system/bin/curl.

The file pandoraspearrk is itself an Android.Pandora.2 trojan.

The file supervisoid is a supervisor tool that monitors the status of the targeted executable and launches it again if its operation was terminated. In this particular case, it monitors the backdoor’s status, and it uses the configuration from the s.conf file.

The busybox and curl files represent the non-malicious instruments BusyBox (a set of UNIX tools of various functionality) and curl (a utility for transferring data via different network protocols).

The and files are scripts. The former launches the supervisoid file with root privileges and has the structure shown below:

    /system/xbin/daemonsu --auto-daemon &
    /system/bin/supervisord -c /system/bin/s.conf &

The latter creates a number of directories, installs APK packets, and launches the supervisoid file. It has the following structure.

    if [ ! -e $MARK ]; then
    echo "booting the first time, so pre-install some APKs."
    busybox find $PKGS -name "*\.apk" -exec sh /system/bin/pm install {} \;
    touch $MARK
    echo "OK, installation complete."
    if [ ! -e $MARK1 ]; then
    echo "booting the first time, so pre-install some APKs."
    echo "lml in kodi.sh22!!!"
    if [ ! -e $ANDROID_DIR ];then
    echo "no android dir ,we need make android dir first."
    log -t cw "lml in kodi.sh33!!!"
    busybox mkdir /sdcard/Android
    log -t cw "lml in kodi.sh44!!!"
    if [ ! -e $DATA_DIR ];then
    echo "no android dir ,we need make data dir first."
    log -t cw "lml in kodi.sh55!!!"
    busybox mkdir /sdcard/Android/data
    log -t cw "lml in kodi.sh66!!!"
    rm /sdcard/Android/data/org.xbmc.kodi/ -rf
    busybox unzip -o /system/media/ -d /sdcard/Android/data/
    touch $MARK1
    echo "OK, installation complete."
    /system/bin/supervisord -c /system/bin/s.conf &

In particular, it installs Kodi® media center (org.xbmc.kodi), a media center app for Android TV.

Interaction with the C&C server

To connect to the C&C server, the backdoor reads its address from the command-line parameters or from the /data/.ms file, which has been encrypted with a Blowfish algorithm, or it uses a built-in list:

  • ok3[.]mflve[.]com
  • pcn[.]panddna[.]com
  • apz[.]bsaldo[.]com
  • abcr[.]ftsym1[.]com

Next, it verifies whether the /htv and /koocan directories are present. These directories are subsequently used to store a copy of the new version of the backdoor when the self-update command is executed.

The trojan connects to the server on the received address and forms a string with an id, as shown below:


At the same time, the numerical contents of this line may vary, depending on whether the trojan has obtained access to /dev/block/hide, /dev/block/mtdblock5, or /dev/block/mtdblock4, and has gotten the particular data from there.

The resulting string is encoded with a Blowfish algorithm, using a zAw2xidjP3eHQ key; converted into a modified Base64; and transferred to the C&C server. In response, Android.Pandora.2 receives a command.

Commands executed

Commands received by the backdoor are sent in the <...>@<a command>@<an argument #1>@<an argument #2>@... format.

Command Name Aruments Description
11 addns tmpdnsip, tmpdns To add a record into /etc/hosts.
12 del_dns host To remove a record from /etc/hosts.
21 URL To perform an auto update of the trojan app.
31 syn host (and optionally a network port) To execute a DDoS attack on a targeted host through port 80, or through the port listed in the command’s arguments.
32 udp host To execute a DDoS attack via the UDP protocol.
33 icmp host To execute a DDoS attack via the ICMP protocol.
34 mix host To execute a DDoS attack via the ICMP, UDP, and SYN protocols simultaneously.
35 smurf host To execute a DDoS attack via the ICMP protocol.
36 tagr3 host (an IP address or a host name) To execute a DDoS attack.
37 сс Unknown To start a thread to execute a commanded task.
38 dnsflood Unknown To execute a DNS Query Flood-type attack.
88 shell host, port To open a Reverse Shell to host:port (or to /system/bin/sh, or to ksh).
110 stopall To stop all processes performing DDoS attacks (for each DDoS attack command received, 50 processes are created by default).
3000 lbs Unknown, IP To write a C&C server address into /data/.ms and connect to this server.
5000 URL To write a C&C server address into /data/.ms.
5555 Unknown To update a С&C server address in /data/.ms.
6269 A command To mount the /system partition in rw mode, to execute a command, to write the command output into the log, to mount the /system partition in ro mode.

Substitution of the /etc/hosts

Upon connecting to the C&C server, Android.Pandora.2 receives a link for downloading the hosts file the attackers need. This file is encoded with a Blowfish algorithm and encoded with a modified Base64.

The backdoor decrypts this hosts file and then uses it to replace the original system file located in /etc/hosts.

Recommandations pour le traitement


  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android