A newly discovered malware infection has raised alarm bells by affecting an estimated 1.3 million Android streaming devices running an open-source version across almost 200 countries.
The malware, dubbed “Android.Vo1d,” has successfully backdoored these Android-based boxes by inserting malicious code into their system storage areas, allowing for potential updates with additional malware via command-and-control servers at any time.
Scope and Impact
Security firm Doctor Web reported the widespread infection on Thursday, highlighting the extensive reach of the Android.Vo1d malware. The affected devices are operating systems based on the Android Open Source Project (AOSP), a version overseen by Google but distinct from the proprietary Android TV used by licensed device manufacturers.
Google representatives have confirmed that the infected devices are not running the official Android TV OS, emphasizing that these are “off-brand devices” without Play Protect certification. This certification process involves extensive testing to ensure quality and user safety. Confirm your TV is running Android TV OS by using the guide posted here.
Unknown Infection Vector
Despite their thorough understanding of the malware and its widespread impact, researchers at Doctor Web are still uncertain about the exact attack vector leading to these infections. They have proposed several possibilities:
- An intermediate malware exploiting operating system vulnerabilities to gain root privileges
- The use of unofficial firmware versions with built-in root access
- Outdated and vulnerable Android versions susceptible to remote code execution exploits
- Potential supply chain compromises, where devices may have been infected before reaching end-users
Affected Devices and Variants
The infection has been found on several TV box models, including:
| TV box model | Declared firmware version |
|---|---|
| R4 | Android 7.1.2; R4 Build/NHG47K |
| TV BOX | Android 12.1; TV BOX Build/NHG47K |
| KJ-SMART4KVIP | Android 10.1; KJ-SMART4KVIP Build/NHG47K |
Researchers have identified dozens of Android.Vo1d variants, each using different code and planting malware in slightly different storage areas. However, all variants achieve the same result: connecting to attacker-controlled servers and installing components that can deploy additional malware on command.
Infection Characteristics
The Android.Vo1d trojan modifies several system files and creates new ones to ensure persistence on infected devices. Key changes include:
- Modification of the install-recovery.sh script
- Alteration of the daemonsu file
- Creation of new files: vo1d, wd, debuggerd, and debuggerd_real
These modifications allow the malware to anchor itself in the system and auto-launch during device reboots. The trojan’s main functionality is split between two components: vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3), which work together to maintain the infection and execute commands from the control servers.
Geographic Distribution
The infection has spread globally, with the highest number of cases detected in:
- Brazil
- Morocco
- Pakistan
- Saudi Arabia
- Russia
- Argentina
- Ecuador
- Tunisia
- Malaysia
- Algeria
- Indonesia
Detection and Mitigation
Identifying infected devices can be challenging for less experienced users. Doctor Web recommends using their antivirus software for Android, which can detect all Vo1d variants and disinfect devices with root access. More technically inclined users can check for indicators of compromise provided by the security firm.
The incident also highlights the risks associated with using non-certified Android devices and emphasizes the importance of regular security updates and proper device vetting. As the investigation continues, it serves as a stark reminder of the ongoing challenges in securing the diverse ecosystem of Android-based devices in the market.
