• Posted by: Michael Johnson
• September 13, 2024

1.3 Million Android TV Boxes Infected by Vo1d Malware in Global Campaign

Nearly 1.3 million Android TV boxes, running outdated operating system versions, have been infected by a newly discovered malware called Vo1d (also referred to as Void). The malware, which has been found in devices spanning 197 countries, creates a backdoor that allows attackers to secretly download and install third-party software.

Russian antivirus company Doctor Web published the findings today, highlighting that the infection is particularly widespread in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

Though the exact source of the infection is still unknown, experts suspect that it may have been introduced either through previous compromises that provided root access or unofficial firmware versions with built-in root privileges.

The campaign has specifically targeted the following TV models:

• KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
• R4 (Android 7.1.2; R4 Build/NHG47K)
• TV BOX (Android 12.1; TV BOX Build/NHG47K)

The attack involves substituting the “/system/bin/debuggerd” daemon file and replacing it with a malicious version. Additionally, two new files, "/system/xbin/vo1d" and "/system/xbin/wd," are introduced into the system. The malware modifies crucial Android system files, like “install-recovery.sh” and “daemonsu,” to ensure that the malicious "wd" component starts automatically when the device is turned on.

Doctor Web researchers explained that the malware's developers likely disguised the file name “vo1d” by replacing the letter “l” in the system program “/system/bin/vold” with the number “1” to avoid detection. Once the vo1d payload is running, it keeps the “wd” module active and allows remote attackers to install and execute additional files based on commands from a command-and-control (C2) server. It also monitors specific directories, installing any APK files found there.

One factor that contributes to this malware spreading is that some budget device manufacturers use older operating system versions and pass them off as newer ones, making their devices seem more appealing to buyers.

Google has since responded to the discovery, clarifying that these infected devices were not Play Protect certified Android devices. The company added that such devices likely used source code from the Android Open Source Project (AOSP) code repository. A spokesperson from Google emphasized that Play Protect-certified devices undergo extensive testing to ensure quality and safety, and recommended that users check the Android TV website to verify if their devices are Play Protect certified.