Pierluigi Paganini
February 28, 2025
In September 2024, Doctor Web researchers uncovered a malware, tracked as Vo1d, that infected nearly 1.3 million Android-based TV boxes belonging to users in 197 countries. The malicious code acts as a backdoor allowing attackers to download and install third-party software secretly.
In August 2024, several users reported that Dr.Web antivirus detected changes in their TV box system files. The problems were observed in several models, including the R4 (Android 7.1.2), TV BOX (Android 12.1), and KJ-SMART4KVIP (Android 10.1). The indicators of compromise were similar in all cases, with modifications to system files like install-recovery.sh and daemonsu. Additionally, four new files appeared: vo1d, wd, debuggerd, and debuggerd_real. The vo1d and wd files were identified as components of Vo1d Android trojan.
The experts reported that the geographical distribution of the infections included almost 200 countries. The largest number of infections was reported in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.
Doctor Web observed that attackers target TV boxes because these devices often run outdated Android versions with unpatched vulnerabilities and lack updates. Many users reported devices labeled as running Android 10 or 12, but they were actually using Android 7.1. Unfortunately, manufacturers often sell older OS versions as newer ones. Users may also mistakenly believe TV boxes are more secure than smartphones and are less likely to install antivirus software, increasing their risk when downloading third-party apps or unofficial firmware.
Researchers at the Chinese cybersecurity firm QiAnXin (QAX) recently discovered 89 new malware samples. The botnet has ~800,000 daily active IPs, peaking at 1,590,299 on January 14, 2025.
Vo1d botnet has enhanced its stealth and resilience with RSA encryption to secure communication, preventing C2 takeover. Its infrastructure now includes hardcoded and DGA-based Redirector C2s for flexibility. Payload delivery is optimized with unique Downloaders using XXTEA encryption and RSA-protected keys, making analysis and detection significantly harder.
QiAnXin speculates that Vo1d’s main goal is building a proxy network, similar to 911 S5, which made $99M in illicit profits. In May 2024, an international law enforcement operation led by the U.S. DoJ disrupted the 911 S5 botnet and led to the arrest of its administrator, opening new opportunities for botnets providing anonymization services like Vo1d.
24,97% of Vo1d-infected devices are in Brazil, followed by South Africa (13%), Indonesia (10%), Argentina (5%), Thailand (3%), and China (3%), spanning 200+ regions.
“Vo1d’s massive scale and continuous evolution pose a severe, long-term threat to global cybersecurity. Its ability to operate undetected for over three months highlights its stealth. By sharing our findings, we aim to contribute to the fight against cybercrime and raise awareness of this formidable threat.” concludes the report that includes Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
