Brazil, South Africa, Indonesia, Argentina, and Thailand are being targeted by a new campaign distributing a botnet malware known as Vo1d, which has significantly infected Android TV devices. This advanced version of Vo1d has demonstrated considerable growth, reaching over 800,000 daily active IP addresses, and peaked at a staggering 1,590,299 infected devices across 226 countries on January 19, 2025. Notably, India witnessed a sharp rise in infections, climbing from less than 1% to 18.17% in just a month.
According to QiAnXin XLab, Vo1d has enhanced its stealth and resilience against detection. The malware employs RSA encryption for communication, thereby complicating command-and-control takedown efforts. Each payload is downloaded using unique methods, further obscured by XXTEA encryption and RSA-protected keys.
Vo1d was initially documented by Doctor Web in September 2024 as malware affecting Android TV boxes. The infection vector remains unclear, but it is speculated to arise from supply chain attacks or unofficial firmware versions that provide root access.
Google noted that the TVs affected were "off-brand" models that were not certified by Play Protect and likely utilized source code from the Android Open Source Project (AOSP).
The latest findings indicate that the malware targets users for creating proxy networks and conducting ad fraud. QiAnXin theorized that the fluctuations in botnet activity might be linked to the leasing of its infrastructure to other criminal enterprises, indicating a "rental-return" business model for botnets.
A close inspection of a recent variation of the Vo1d malware has revealed its mechanism to download and execute a secondary payload that communicates with a command-and-control server. This includes a package with multiple components designed to reinforce its capabilities.
The Vo1d malware disguises itself as legitimate software, mimicking the package name of "com.google.android.gms.stable," suggesting an intention to evade detection. It autostarts after device rebooting and is engineered to execute additional payloads that perform similar functions, indicating a complex modular structure to the botnet’s operation.
The existence of related malicious Android software called Mzmess, which contains plugins for various objectives like proxy service and ad promotion, raises questions about the orchestration behind these malware campaigns. These relationships hint at a broader trend of cybercriminals renting out malicious services across different entities.
Currently, Vo1d is primarily being exploited for profit, but the possibility exists for attackers to repurpose devices for larger cyber attacks or other illegitimate operations. This could allow hackers to launch distributed denial-of-service (DDoS) attacks or distribute unauthorized content from compromised devices.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.