Cybersecurity experts at Doctor Web have uncovered a massive malware campaign targeting Android-based TV boxes. Dubbed Android.Vo1d, the newly discovered malware has infected nearly 1.3 million devices across 197 countries, making it one of the most widespread infections of its kind.
The malware acts as a backdoor, allowing attackers to secretly install third-party software on compromised devices by manipulating system files.
The infection was first detected in August 2024 when users contacted Doctor Web after noticing suspicious changes in their TV boxes. The problem occurred with these models:
TV Box Model Declared Firmware Version
R4 Android 7.1.2; R4 Build/NHG47K
TV BOX Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP Android 10.1; KJ-SMART4KVIP Build/NHG47K
Affected devices displayed alterations in critical system files, such as install-recovery.sh and daemonsu, while new, malicious files emerged in the system, including:
- /system/xbin/vo1d
- /system/xbin/wd
- /system/bin/debuggerd
- /system/bin/debuggerd_real
According to researchers, the Android.Vo1d malware cleverly disguises itself by naming one of its core components “vo1d. ” This closely resembles the system process “vold,” with only a subtle difference—the use of the number “1” instead of the letter “l.”
Vo1d’s Reach and Impact
Doctor Web’s analysis reveals that Android.Vo1d uses multiple methods to gain persistence, exploiting critical system files to ensure they survive reboot cycles. Once the malware takes hold, it can download and execute additional payloads at the command of a remote C&C server.
The geographical distribution of infections is staggering, with the highest number of compromised devices reported in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. Doctor Web estimates that over 1.3 million devices are compromised, and the infection spreads.
Why Android TV Boxes Are Targeted
According to Doctor Web, the Android TV boxes affected by the malware often run on outdated versions of the Android OS, making them easy targets for attackers. Many of these devices still operate on Android 7.1, while their specifications misleadingly claim support for newer versions like Android 10 and Android 12. This discrepancy is common among budget TV box manufacturers, who exploit outdated software to reduce costs.
Additionally, users often overlook TV boxes as potential security risks, focusing more on smartphones and tablets when installing antivirus software. This lack of protection, combined with the installation of third-party apps or unofficial firmware, creates an environment ripe for exploitation.
Infection Vector and Mitigation
The exact method used to spread Android.Vo1d remains unknown, but experts suggest several possibilities. The malware may have been delivered through an intermediary infection that leveraged vulnerabilities in the Android operating system to gain root access. Alternatively, it could have been pre-installed via unofficial firmware with built-in root access. As Android TV boxes remain vulnerable, users are advised to be cautious when installing third-party applications and to ensure that their devices are running up-to-date antivirus software to mitigate the risk of infection.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.