Vo1d (Trojans) – Malware

Overview

In recent months, cybersecurity researchers have uncovered a significant and growing threat targeting Android-based TV boxes worldwide. The Android.Vo1d malware, a backdoor Trojan, has infected over 1.3 million devices across 197 countries. This malware is particularly concerning due to its ability to bypass standard security measures and its widespread presence in regions such as Brazil, Morocco, and Pakistan. Android.Vo1d is designed to secretly download and install third-party software, allowing attackers to gain full control over infected devices. While TV boxes are often considered less susceptible to malware attacks compared to smartphones, Android.Vo1d’s persistence and stealth make it a serious security concern.

One of the reasons Android.Vo1d has been so successful in infecting such a large number of devices is the prevalence of outdated Android versions running on many budget TV boxes. These devices are often not updated regularly, leaving them vulnerable to exploitation. Attackers leverage this weakness, exploiting unpatched security flaws to gain unauthorized access to the system. Once inside, Android.Vo1d can manipulate critical system files and establish root access, enabling the malware to embed itself deep within the device. The malware primarily functions through two components, vo1d and wd, which work together to maintain the infection and execute malicious commands.

Targets

Individuals

How they operate

Infection and Persistence Mechanism

The infection process begins when the Android.Vo1d malware gains root access to the infected Android TV box. One of the most striking features of Android.Vo1d is its ability to modify critical system files to ensure persistence. The malware exploits vulnerable devices, often running outdated versions of Android that lack security updates, which makes them an ideal target. Upon infection, Android.Vo1d modifies files like install-recovery.sh, daemonsu, and debuggerd—components essential to the Android operating system’s boot and operation.

The install-recovery.sh file is a script that is executed during device startup. Android.Vo1d inserts its own malicious code into this script to ensure that its components are launched automatically when the device reboots. Additionally, the malware makes changes to daemonsu, a file responsible for providing root privileges, which further consolidates its control over the infected system. These modifications allow Android.Vo1d to establish a foothold that survives device reboots, making it difficult to remove.

Malware Components and Functionality

Android.Vo1d consists of several components, each serving a specific function. The core components are vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3). These components operate in tandem to provide the malware with full control over the infected device. The vo1d module acts as the primary control agent, responsible for launching the wd component and overseeing its operation. This includes restarting the wd process if necessary and downloading additional malicious payloads from the command-and-control (C2) server when instructed.

The wd module, on the other hand, is responsible for installing and launching the Android.Vo1d.5 daemon, which is encrypted and stored within its body. This module also monitors specific directories on the infected device and installs any APK files it finds in those directories. The dual-component design of Android.Vo1d allows it to execute multiple tasks concurrently and ensures that it can maintain control over the infected system.

Command and Control Communication

Once Android.Vo1d is installed on the device, it establishes a communication channel with its C2 server to receive instructions from the attackers. The malware uses HTTP or DNS tunneling for this communication, allowing it to send and receive data covertly. The C2 server can issue commands to the infected device, such as downloading additional payloads or exfiltrating data. This communication is a crucial aspect of the malware’s operation, as it enables the attacker to maintain control over the device remotely.

The malware’s communication is designed to be stealthy, using DNS tunneling to send data in small chunks via DNS queries. This technique allows the malware to bypass traditional network security measures and make detection more difficult. Once the malware receives a command from the C2 server, it executes the specified actions, such as installing other malicious applications or stealing sensitive data from the device.

Data Exfiltration and Impact

While the primary goal of Android.Vo1d is to establish long-term control over the infected device, it is also capable of exfiltrating data. The malware can collect sensitive information from the device, including personal data, app information, and potentially credentials stored on the device. This data is then sent back to the C2 server, where it can be accessed by the attackers. The ability to exfiltrate data allows Android.Vo1d to be used for espionage and identity theft, making it a highly dangerous threat.

The malware may also be used to disrupt the functioning of the device. In some cases, Android.Vo1d can install additional malicious software that could disable or damage the device, furthering the attacker’s objectives. Although the main focus of the malware is control and data theft, it could potentially serve as a precursor to more destructive attacks, depending on the attackers’ intentions.

Conclusion

Android.Vo1d represents a highly sophisticated piece of malware designed to compromise Android TV boxes. By exploiting outdated software versions, modifying critical system files, and using covert communication methods, Android.Vo1d can maintain persistent control over infected devices. Its ability to download additional payloads, monitor directories, and exfiltrate data makes it a powerful tool for cybercriminals. As the malware continues to spread, users are advised to update their devices, avoid installing unofficial firmware, and use security software to detect and remove threats like Android.Vo1d.

MITRE Tactics and Techniques

Initial Access (T1071: Application Layer Protocol)

Android.Vo1d may gain initial access to the infected device through vulnerabilities in the device’s firmware or operating system. This is likely to happen when devices run outdated versions of Android, which are often not supported with security patches. The malware could exploit vulnerabilities or use intermediate malware to gain root access, allowing it to install itself and persist on the device.

Persistence (T1547: Boot or Logon Autostart)

Android.Vo1d ensures persistence by modifying system files that allow it to automatically start every time the infected device reboots. The malware alters critical files such as install-recovery.sh, daemonsu, and debuggerd. By registering its components in these files, the malware ensures that it can maintain control over the device even after a reboot, which is a key persistence tactic.

Privilege Escalation (T1068: Exploitation for Privilege Escalation)

Android.Vo1d likely uses privilege escalation to gain root access on infected devices, which allows it to modify critical system files and ensure deeper infiltration. This is often achieved through exploiting known vulnerabilities in the device’s operating system, making it possible for the malware to run with elevated permissions.

Command and Control (T1071: Application Layer Protocol)

Android.Vo1d communicates with its command-and-control (C2) servers over the internet using HTTP or DNS tunneling techniques. The malware’s ability to send and receive commands from the C2 servers allows attackers to control the infected devices, download and execute malicious payloads, and further maintain control over the system.

Exfiltration (T1041: Exfiltration Over Command and Control Channel)

Android.Vo1d has the ability to exfiltrate data from the infected devices. It can collect information from the device and send it back to the C2 server, where it can be accessed by attackers. This is a common tactic for backdoor malware, as it enables attackers to collect sensitive information from the target.

Impact (T1486: Data Encrypted for Impact)

While Android.Vo1d’s primary function is to maintain control over the infected device and download additional payloads, it could potentially engage in damaging activities like installing ransomware or other malicious tools. This is seen in some instances where Android.Vo1d could be used to disrupt or disable the functionality of a device by deploying malicious software.

References

• Void captures over a million Android TV boxes