Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide

e262b3b2f14adca8883e191c91d44f8f0a90713b0c49484a853a705f10a4c402

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).

“It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software,” Russian antivirus vendor Doctor Web said in a report published today.

A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

Cybersecurity

It’s currently not known what the source of the infection is, although it’s suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access.

The following TV models have been targeted as part of the campaign –

  • KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
  • R4 (Android 7.1.2; R4 Build/NHG47K)
  • TV BOX (Android 12.1; TV BOX Build/NHG47K)

The attack entails the substitution of the “/system/bin/debuggerd” daemon file (with the original file moved to a backup file named “debuggerd_real”), as well as the introduction of two new files – “/system/xbin/vo1d” and “/system/xbin/wd” – which contain the malicious code and operate concurrently.

android

“Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons,” Google notes in its Android documentation. “In Android 8.0 and higher, crash_dump32 and crash_dump64 are spawned as needed.”

Two different files shipped as part of the Android operating system – install-recovery.sh and daemonsu – have been modified as part of the campaign to trigger the execution of the malware by starting the “wd” module.

Cybersecurity

“The trojan’s authors probably tried to disguise one if its components as the system program ‘/system/bin/vold,’ having called it by the similar-looking name ‘vo1d’ (substituting the lowercase letter ‘l’ with the number ‘1’),” Doctor Web said.

The “vo1d” payload, in turn, starts “wd” and ensures it’s persistently running, while also downloading and running executables when instructed by a command-and-control (C2) server. Furthermore, it keeps tabs on specified directories and installs the APK files that it finds in them.

“Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive,” the company said.

Update

Google told The Hacker News that the infected TV models were not Play Protect certified Android devices and likely used source code from the Android Open Source Project code repository. The company’s entire statement is as follows –

“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. ”



Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.