Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide

Nearly 1.3 million Android-based TV devices running outdated versions of the operating system and belonging to customers across 197 countries have been attacked by a new virus named Vo1d (aka Void).

"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus provider Doctor Web claimed in a study released today.

A majority of the infections have been found in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

It's currently not known what the source of the infection is, however it's assumed that it may have either included an incident of earlier breach that allows for attaining root rights or the usage of unauthorized firmware versions with built-in root access.

The following TV models have been targeted as part of the campaign -

KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)

R4 (Android 7.1.2; R4 Build/NHG47K)

TV BOX (Android 12.1; TV BOX Build/NHG47K)

The attack comprises the replacement of the "/system/bin/debuggerd" daemon file (with the original file transferred to a backup file called "debuggerd_real"), as well as the insertion of two new files – "/system/xbin/vo1d" and "/system/xbin/wd" – which contain the malicious code and function simultaneously.

"Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons," Google states in its Android documentation. "In Android 8.0 and higher, crash_dump32 and crash_dump64 are spawned as needed."

Two distinct files provided as part of the Android operating system – install-recovery.sh and daemonsu – have been updated as part of the campaign to trigger the execution of the malware by launching the "wd" module.

"The trojan's authors probably tried to disguise one if its components as the system program '/system/bin/vold,' having called it by the similar-looking name 'vo1d' (substituting the lowercase letter 'l' with the number '1')," Doctor Web added.

The "vo1d" payload, in turn, begins "wd" and guarantees it's permanently operating, while also downloading and launching executables when commanded by a command-and-control (C2) server. Furthermore, it maintains eyes on defined folders and installs the APK files that it finds in them.

"Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive," the business added.

Update#

Google informed The Hacker News that the compromised TV models were not Play Protect certified Android devices and presumably utilized source code from the Android Open Source Project code repository. The company’s whole statement is as follows -

“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t keep a record of security and compatibility test results. Play Protect certified Android devices undergo comprehensive testing to assure quality and user safety. To assist you identify whether or not a device is designed with Android TV OS and Play Protect certified, our Android TV website offers the most up-to-date list of partners. You may also follow these steps to verify whether your device is Play Protect certified. ”