Cyber security news for all

More

    Vo1d Malware Hits 1.3 Million Android TV Boxes Globally

    A staggering 1.3 million Android-based TV boxes across 197 countries have fallen victim to a new malware strain named Vo1d (also referred to as Void). These devices, running outdated versions of the Android OS, have been compromised by the malicious software.

    The Vo1d malware operates as a backdoor, infiltrating the system storage and executing commands from attackers. It can surreptitiously download and install third-party applications without the user’s knowledge, as outlined by Russian cybersecurity firm Doctor Web in a report published today.

    Most of the infections have been detected in countries such as Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

    Although the precise origin of the infection remains unclear, experts speculate that it could stem from a previous system compromise that enabled root privileges or from the use of unofficial firmware versions pre-configured with root access.

    The following TV models have been specifically targeted by the campaign:

    • KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
    • R4 (Android 7.1.2; R4 Build/NHG47K)
    • TV BOX (Android 12.1; TV BOX Build/NHG47K)

    The attack involves replacing the “/system/bin/debuggerd” daemon file, with the original file being relocated as a backup under the name “debuggerd_real.” Additionally, two malicious files—”/system/xbin/vo1d” and “/system/xbin/wd”—are introduced into the system to carry out the malware’s tasks concurrently.

    According to Google’s Android documentation, prior to Android 8.0, system crashes were managed by the “debuggerd” and “debuggerd64” daemons. However, with Android 8.0 and later versions, the “crash_dump32” and “crash_dump64″ processes handle these tasks on an as-needed basis.

    As part of the malware’s deployment, two legitimate Android OS files—”install-recovery.sh” and “daemonsu”—have been modified to trigger the execution of the “wd” module, a key component of the Vo1d malware.

    Doctor Web further noted that the malware creators likely intended to disguise part of their malicious code as the system program “/system/bin/vold,” substituting the letter “l” with the number “1” to create the name “vo1d.”

    Once activated, the Vo1d payload initiates the “wd” module, ensuring it runs continuously and facilitates the downloading and execution of other files at the command of a remote server (C2 server). The malware also monitors specific directories and automatically installs APK files it locates within them.

    Doctor Web pointed out that it’s not uncommon for budget device manufacturers to ship older versions of Android under the guise of newer releases, making these devices attractive to buyers but more vulnerable to security threats.

    Recent Articles

    Related Stories