Skip to content

Android.Vo1d malware hits 1.3 million TV boxes globally

  • by
  • 3 min read

Photo: Primakov / Shutterstock.com

The malware, dubbed Android.Vo1d has infiltrated around 1.3 million Android-based TV boxes in 197 countries, including Brazil, Morocco, Pakistan, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, Indonesia and Saudi Arabia. This backdoor trojan can install and launch unauthorised software, posing a significant threat to users’ privacy and security.

Researchers discovered the infection in August 2024 when several users noticed abnormal changes in their devices’ system files. The affected TV boxes include:

  • R4 (Android 7.1.2)
  • TV BOX (Android 12.1)
  • KJ-SMART4KVIP (Android 10.1)

Google confirmed to BleepingComputer that the TVs are not running Android but based on Android Open Source Project.

“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety,” said a Google spokesperson.

What makes Android.Vo1d is particularly dangerous because it can deeply integrate into the system’s storage area, allowing it to survive device reboots and evade detection.

Upon infection, the malware modifies critical system files such as install-recovery.sh, daemonsu, and debuggerd, and introduces new components (vo1d and wd), which work together to maintain persistence.

Brazil has been the most affected by the bug followed by Morocco and Pakistan. | Source: Dr Web

The Android.Vo1d malware employs a clever trick to disguise itself within the system by imitating legitimate files. For instance, it renames one of its components as ‘vo1d,’ closely resembling the system program vo1d, used for managing storage volumes.

“It’s authors used at least three different methods: modification of the install-recovery.sh and daemonsu files and substitution of the debuggerd program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto-launch during subsequent device reboots,” researchers said.

The malware’s architecture allows it to download, install, and execute additional malicious files on command from its command-and-control (C2) server.

Researchers believe that one factor contributing to the malware’s success is the prevalence of older firmware on these devices. Many manufacturers use outdated versions of Android and falsely advertise them as more up-to-date versions to appeal to consumers.

These leave the devices vulnerable to unpatched security flaws, making them prime targets for attackers.

Researchers have urged users to update the TV’s firmware, remove the affected TV boxes away from the internet, and avoid installing APKs.

In the News: Microsoft plans to shift security vendors away from kernel access

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>