A new malware strain known as Vo1d has infected nearly 1.3 million Android-based TV boxes worldwide, affecting users in 197 countries. The malware primarily targets devices running outdated versions of the Android operating system, spreading rapidly across Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.
According to a report by researchers, Vo1d operates as a backdoor, installing itself within the system’s storage. Once activated by attackers, it secretly downloads and installs third-party software without the user’s knowledge.
While the exact source of the infection remains unclear, experts suspect the malware exploits devices that have either been previously compromised to gain root access or are running unofficial firmware with built-in root permissions.
Several TV models have been identified as part of this campaign, including KJ-SMART4KVIP (Android 10.1), R4 (Android 7.1.2), and TV BOX (Android 12.1). The malware attack replaces critical system files, specifically targeting the “/system/bin/debuggerd” daemon, and installs two malicious files, “/system/xbin/vo1d” and “/system/xbin/wd.” These files work together to execute the malware and keep it running in the background.
Before Android 8.0, certain system crashes were handled by the debuggerd and debuggerd64 daemons. The malware takes advantage of this, modifying files such as “install-recovery.sh” and “daemonsu” to ensure its persistence. The Vo1d payload also continuously monitors specific directories, installing APK files it discovers when directed by a command-and-control (C2) server.
The malware authors have disguised one of the malicious components as a legitimate system program by using a similar name, “vo1d” (replacing the letter “l” with the number “1”). The malware then establishes itself within the device, persistently running and enabling further downloads of malicious executables.
Researchers pointed out that budget device manufacturers often utilize outdated operating system versions, presenting them as more modern to attract buyers. Unfortunately, this practice makes such devices more vulnerable to malware attacks. Google confirmed that the infected TV models are not Play Protect certified and likely sourced their code from the Android Open Source Project repository.
To minimize the risk of such attacks, users should avoid installing unofficial firmware and ensure their devices are always running the latest security updates. Regularly checking for Play Protect certification when purchasing devices can also help prevent the use of insecure or outdated software. Users should also invest in reliable antivirus software to detect and block malware like Vo1d before it can do damage.