Cybersecurity experts at Doctor Web have recently exposed a massive malware campaign targeting Android-based TV boxes, known as Android.Vo1d. This malware has managed to infect approximately 1.3 million devices across 197 countries, marking it as one of the most extensive infections in recent history. The malware functions as a backdoor, enabling attackers to secretly install additional malicious software by manipulating essential system files. This extensive breach underscores the significant security vulnerabilities inherent in these devices.
The Vo1d malware was first detected in August 2024, with users reporting suspicious changes in their TV boxes. The affected models include those running outdated versions of Android, such as Android 7.1.2, Android 10.1, and Android 12.1. Critical system files, including install-recovery.sh and daemonsu, were found altered, while new malicious files like /system/xbin/vo1d and /system/bin/debuggerd were introduced. The malware cleverly disguises itself by naming one of its core components “vo1d,” a subtle variation of the legitimate system process “vold.”
Doctor Web’s analysis reveals that Android.Vo1d uses various methods to maintain persistence, exploiting system files to ensure the malware remains active even after reboots. Once installed, Vo1d can download and execute additional payloads as directed by a remote command-and-control server. The geographical distribution of infections is notable, with the highest numbers reported in Brazil, Morocco, Pakistan, and several other countries, indicating a widespread and rapidly spreading threat.
The Android TV boxes targeted by Vo1d often run on outdated operating systems, making them particularly vulnerable. Many of these devices operate on older versions of Android, despite claims of supporting newer versions. This discrepancy, combined with users’ general neglect of security measures on TV boxes, creates a ripe environment for exploitation. The exact infection vector remains unclear, but it is suggested that the malware could have been spread via vulnerabilities in the Android OS or through unofficial firmware with built-in root access. Users are advised to exercise caution when installing third-party applications and ensure their devices have up-to-date security protections to mitigate the risk of such infections.
Reference:
