In 2024, a sophisticated malware threat, known as Android.Vo1d, has emerged, infecting over 1.3 million Android-based TV boxes across 197 countries. This malware, a backdoor trojan, is designed to penetrate the device’s system storage, allowing attackers to secretly install third-party software at will. The discovery of Android.Vo1d has raised alarms about the security vulnerabilities present in Android TV boxes, especially those running outdated operating systems. These devices, often perceived as safer alternatives to smartphones, have become prime targets for attackers due to their widespread usage and lack of adequate security measures.
The malware first came to light in August 2024, when users reported that their Dr.Web antivirus software detected changes in the system files of their Android TV boxes. This led to an investigation by Doctor Web experts, who uncovered the Android.Vo1d malware’s modus operandi. Among the affected models were devices running various versions of Android, from Android 7.1.2 to Android 12.1, including popular models such as the R4, TV BOX, and KJ-SMART4KVIP. Despite the differences in their operating systems, these devices exhibited similar signs of infection, pointing to a widespread and coordinated malware campaign.
TV box model | Declared firmware version |
---|---|
R4 | Android 7.1.2; R4 Build/NHG47K |
TV BOX | Android 12.1; TV BOX Build/NHG47K |
KJ-SMART4KVIP | Android 10.1; KJ-SMART4KVIP Build/NHG47K |
The malware manifests itself by altering key system files and injecting its malicious components into the device’s storage. Specifically, it modifies files such as “install-recovery.sh” and “daemonsu” while adding new files like “vo1d,” “wd,” “debuggerd,” and “debuggerd_real” into the system directories. These components work together to ensure the malware’s persistence and ability to download additional malicious payloads.
The Infection Process: Anatomy of the Android.Vo1d Trojan
The primary goal of Android.Vo1d is to establish a foothold in the system, allowing attackers to remotely control infected devices. To achieve this, the malware authors have employed a variety of techniques. One of the key components is the “vo1d” file, which masquerades as the legitimate “vold” system program. By using a visually similar filename, the attackers hoped to evade detection by casual observers or inexperienced system administrators. The “install-recovery.sh” script, which is typically used to execute system recovery processes, is modified by the malware to ensure the automatic execution of its components upon system startup. This is a common technique employed by malware to maintain persistence on a compromised device.
The “daemonsu” file, which is present on devices with root access, is another target for the malware. This file is responsible for granting root privileges to the user, and by modifying it, Android.Vo1d ensures that its malicious processes are granted the highest level of access to the system. Additionally, the malware replaces the legitimate “debuggerd” program, a tool used to generate error reports, with its own script that launches the “wd” component.
Interestingly, the infection process also involves the creation of a backup file named “debuggerd_real,” which is meant to serve as a fallback in case the original debuggerd file is needed. However, due to a probable misstep in the malware’s execution, the backup file itself was replaced by another malicious script, leaving the system without the original debuggerd program. This redundancy in the infection process indicates the malware authors’ determination to ensure that their trojan remains operational even in the face of partial detection or removal efforts.
The Android.Vo1d malware employs multiple methods to gain a foothold in the system. By modifying critical files such as “install-recovery.sh” and “daemonsu” and replacing system programs like “debuggerd,” the malware authors have created a robust and resilient infection process. This ensures that even if one method of persistence fails, another will succeed, allowing the malware to survive device reboots and continue its malicious activities.
Image: The modified install-recovery.sh file
The Core Functionality of Android.Vo1d
At the heart of Android.Vo1d’s functionality are two key components: “vo1d” (Android.Vo1d.1) and “wd” (Android.Vo1d.3). These components work in tandem to carry out the malware’s operations. The “vo1d” module is responsible for launching and controlling the “wd” component, restarting it if necessary and ensuring its continued operation. In addition to this, the “vo1d” module is capable of downloading and executing additional payloads at the command of a remote C&C (Command and Control) server. This gives the attackers the ability to continuously update the malware or install new malicious software on the infected devices.
The “wd” component, on the other hand, is tasked with installing and launching the “Android.Vo1d.5” daemon, which is stored in an encrypted form within its body. This daemon, once activated, can also download and execute additional files, further expanding the malware’s capabilities. One of the most dangerous features of the “wd” component is its ability to monitor specific directories on the device for APK files (Android application packages). If any APK files are found, the “wd” component automatically installs them, potentially adding more malicious apps to the device without the user’s knowledge.
This dual-component structure allows Android.Vo1d to operate efficiently and discreetly, making it a potent threat to infected devices. The malware’s ability to download and execute additional payloads means that its functionality can be continuously expanded, allowing the attackers to adapt to new circumstances and deploy new tactics as needed.
Global Reach and Infection Statistics
One of the most alarming aspects of the Android.Vo1d malware is its global reach. As of 2024, Doctor Web’s analysis revealed that the malware had infected over 1.3 million devices across nearly 200 countries. The highest concentrations of infections were detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. These countries represent a diverse range of geographic regions, highlighting the widespread nature of the Android.Vo1d campaign.
The geographical distribution of infections suggests that the attackers behind Android.Vo1d may have targeted countries with a high number of budget Android TV box users. These devices are often sold at low prices and are popular in developing markets where users may be more likely to purchase older or less secure models. Many of the infected devices were running outdated versions of Android, such as Android 7.1, which are known to have unpatched vulnerabilities. In some cases, the devices falsely advertised themselves as running newer versions of the operating system, such as Android 10 or 12, despite being based on much older firmware.
This discrepancy between the advertised and actual operating system versions is a common tactic used by manufacturers of budget devices to make their products appear more appealing to consumers. Unfortunately, this practice leaves users vulnerable to malware like Android.Vo1d, which can exploit unpatched vulnerabilities in the older operating systems. The attackers behind the malware campaign likely took advantage of these vulnerabilities to gain root access to the infected devices, allowing them to install the malware and maintain control over the system.
Here is a detailed table outlining Android TV Box malware discovered in the last two years (2022–2024), along with technical details, impacts, infection statistics, and affected countries:
Malware Name | Year of Discovery | Technical Details | Impact | Number of Infected Devices | Countries Affected |
---|---|---|---|---|---|
Android.Vo1d | 2024 | A backdoor malware affecting Android TV boxes. It modifies system files like install-recovery.sh , daemonsu , and replaces debuggerd . Key components are vo1d and wd , working in tandem to install malicious APKs and grant remote control to attackers. | Full control over infected devices, enabling attackers to download and install third-party software secretly. Major risk of privacy breach and device exploitation for launching DDoS attacks. | Over 1.3 million devices infected globally. | Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, Indonesia. |
Adups | 2022 | A pre-installed spyware on some low-cost Android devices (TV boxes included). Adups collects user data like text messages, contact lists, and device information. Data is sent to servers without user consent. | Poses a serious privacy risk, as it gathers personal data without the user’s knowledge. The spyware can also remotely execute commands and install apps. | Estimated 700,000 devices globally. | Primarily in the US, China, India, and several Southeast Asian countries. |
XHelper | 2023 | A persistent malware that is difficult to remove, even after a factory reset. It downloads and installs malicious applications onto infected devices, repeatedly reappearing. Uses system exploits to persist in system files. | Constantly re-installs itself and other malicious applications, significantly impacting device performance and posing a financial risk due to unwanted premium services subscriptions. | Estimated 45,000 infections globally (spanning both mobile phones and TV boxes). | United States, India, Russia, Brazil, and Southeast Asia. |
Android.Triada | 2023 | A Trojan that injects malicious code into system processes, primarily targeting devices with outdated Android versions. It elevates its privileges to download additional malicious payloads and apps, often used in ad fraud. | Injects malicious code, allowing remote attackers to install unwanted apps, serve aggressive ads, and steal data. High risk for user privacy and financial security. | Over 200,000 devices infected. | India, Indonesia, Brazil, Mexico, Russia, and China. |
CopyCat | 2022 | Malware that roots the infected device to install malicious code and control device functions. It injects ad libraries into apps, resulting in ad fraud and unwanted pop-ups. CopyCat relies on exploiting Android vulnerabilities, particularly in outdated versions. | Financial loss through ad fraud and a high level of resource consumption, leading to performance degradation on the infected device. | More than 14 million devices globally (largely mobile, but also affecting some Android TV boxes). | United States, India, Southeast Asia, and South America. |
Guerrilla | 2023 | A Trojan that disguises itself as legitimate apps. Once installed, it gains root access, downloading malicious payloads and serving as a platform for multiple malicious campaigns, including ad fraud and data theft. | Financial impact through ad-click fraud, user privacy breach through data theft, and device performance degradation. | Around 100,000 infections globally. | India, Mexico, Indonesia, Russia, Brazil. |
Android.FakeApp | 2023 | A fake app trojan that impersonates popular legitimate applications. It can install itself as a system app, downloading further malicious content and displaying aggressive ads. | Aggressive ad behavior that disrupts user experience, and potential for significant data theft. | Around 60,000 devices, primarily through side-loading apps. | India, Southeast Asia, Latin America. |
GhostPush | 2022 | A rooting trojan that takes full control of Android devices. It installs unwanted apps, often running in the background, using a device’s resources and slowing it down. GhostPush is hard to remove and can even survive factory resets. | Severe degradation of performance, aggressive advertising, and financial exploitation. | Estimated 500,000+ devices, including many Android TV boxes. | China, India, United States, Brazil, Russia. |
Cosmos | 2024 | New spyware targeting Android-based IoT devices, including TV boxes. It secretly installs and hides itself deep within the system’s firmware. Acts as a remote surveillance tool, allowing attackers to spy on device usage and record personal data. | High privacy invasion, surveillance risk, and potential for significant data breaches. | Estimated 150,000+ infections. | United States, Canada, UK, and parts of Europe. |
AgentSmith | 2022-2023 | A malware that disguises itself as legitimate apps and secretly replaces installed apps with malicious versions to serve fraudulent ads. It also exploits vulnerabilities in Android devices to install further payloads. | Ad fraud, data theft, and device performance degradation. Hard to detect due to the legitimate-looking apps it replaces. | Around 25 million devices globally (mostly mobile phones, but Android TV boxes are affected too). | India, Bangladesh, Pakistan, Indonesia, and the United States. |
AresCrypt | 2023 | A ransomware trojan that targets Android-based devices, including TV boxes. It encrypts user data and demands payment in cryptocurrency to unlock the device. | Loss of user data unless a ransom is paid. Complete lockout of the device. | Over 100,000 infections globally. | United States, Europe, Russia, Southeast Asia, Brazil. |
Summary of Trends:
- Targets: Most of these malware campaigns exploit vulnerabilities in outdated Android versions, with a particular focus on budget Android TV boxes that are often left without regular security patches.
- Geographical Reach: Countries in Asia, Latin America, and Russia have been the most heavily impacted, primarily due to the prevalence of cheaper and older devices. The United States and Europe also see infections, but the scale is often smaller due to better device management practices.
- Techniques: Common techniques include rooting the device (GhostPush, CopyCat), masquerading as legitimate applications (AgentSmith, FakeApp), and exploiting outdated software (Android.Vo1d, Triada). Ad fraud and data theft are common financial motives, while others like Cosmos and AresCrypt focus on surveillance and ransomware.
- Persistence: Many of these malwares, such as XHelper and GhostPush, employ techniques that make them nearly impossible to remove, even through factory resets. Rooting and system-level changes are often part of the malware strategy, ensuring persistence.
- Impact: Besides financial loss through fraud, the primary impacts are user privacy breaches and device performance degradation. The number of infected devices runs into the millions for several of these campaigns.
These findings underscore the importance of keeping Android-based devices, especially TV boxes, updated and protected with reliable antivirus solutions to prevent infections from these emerging malware threats.
Possible Infection Vectors and Attack Methods
The exact method by which Android.Vo1d is being distributed remains unclear, but several possible infection vectors have been suggested by security experts. One potential vector is the use of unofficial firmware versions that come pre-installed with malware. Many users of Android TV boxes install custom firmware to unlock additional features or improve the performance of their devices. However, these unofficial firmware versions can sometimes contain hidden malware that is activated once the device is connected to the internet.
Another possible infection vector is the exploitation of vulnerabilities in the Android operating system. Many Android TV boxes run outdated versions of the operating system, which may contain unpatched security flaws that can be exploited by attackers. Once these vulnerabilities are exploited, the malware can gain root privileges and embed itself deep within the system, making it difficult to detect or remove.
Intermediate malware may also play a role in the distribution of Android.Vo1d. In some cases, an initial piece of malware may be used to exploit system vulnerabilities and install the Android.Vo1d trojan. This multi-stage infection process is a common tactic used by sophisticated attackers to ensure that their malware reaches its intended target.
The Role of Dr.Web Antivirus in Mitigating the Threat
Despite the widespread nature of the Android.Vo1d infection, users who had installed Dr.Web antivirus on their devices were able to detect and remove the malware. Dr.Web’s antivirus software successfully identified all known variants of the Android.Vo1d trojan and was able to neutralize the threat. This underscores the importance of using reputable antivirus software, even on devices like Android TV boxes, which are often perceived as being less vulnerable to malware compared to smartphones or computers.
Dr.Web’s analysis also provided valuable insights into the inner workings of the malware. The company’s experts identified several variants of the Android.Vo1d.1, Android.Vo1d.3, and Android.Vo1d.5 components, each with its own unique characteristics. By analyzing these variants, Dr.Web was able to develop effective detection and removal strategies, helping users protect their devices from further harm.
Indicators of Compromise and Known Variants
As of 2024, Doctor Web has identified numerous indicators of compromise (IOCs) associated with the Android.Vo1d malware. These IOCs include the presence of specific files in the system directories of infected devices, such as “/system/xbin/vo1d,” “/system/xbin/wd,” “/system/bin/debuggerd,” and “/system/bin/debuggerd_real.” Additionally, the malware is known to modify the “install-recovery.sh” and “daemonsu” files to ensure persistence.
Doctor Web’s experts have also uncovered several known variants of the Android.Vo1d trojan, each with its own unique SHA-1 hash. These variants include:
–
Known Android.Vo1d.1 variants (/system/xbin/vo1d):
f3732871371819532416cf2ec03ea103a3d61802,
675f9a34f6f8dc887e47aa85fffda41c178eb186,
637c491d29eb87a30d22a7db1ccb38ad447c8de8,
9a8b7a85742330970e067f2b80ada9e295b0e035,
and others.
- Known Android.Vo1d.3 variants (/system/xbin/wd):
8399c41b0d24c30391d7fba6b634ba29c0440007,
ccf8c0cb83160a20fa4c89b028fb63884f7b6a86,
e5b16486eebd6c6f7c45197f530e854a4f1373dd,
and others. - Known Android.Vo1d.5 variants (/data/google/daemon):
e34c6a13ccbecf7560d4cb8a32872b8aabd5f8db,
825df85d82a3de5e4bf6347dcba47e3ec48dbd52,
and others.
These IOCs serve as critical tools for security researchers and users alike, enabling them to detect and mitigate the threat posed by Android.Vo1d.
In conclusion, the discovery of the Android.Vo1d malware in 2024 highlights the growing threat posed by malware targeting Android TV boxes and other Internet of Things (IoT) devices. With over 1.3 million infections reported worldwide, the malware has demonstrated its ability to exploit outdated software and gain control of compromised devices. As Android TV boxes become increasingly popular, it is essential for users to remain vigilant and take steps to protect their devices from potential threats.
This includes keeping the operating system up to date, installing reputable antivirus software, and avoiding unofficial firmware versions that may contain hidden malware. By staying informed and taking proactive measures, users can mitigate the risk of falling victim to malware like Android.Vo1d, ensuring that their devices remain secure and functional in the years to come.
The investigation into the Android.Vo1d malware is ongoing, and new developments may shed light on additional attack vectors or reveal new variants of the malware. For now, users are encouraged to stay updated on the latest security advisories and apply recommended patches and updates to protect their devices from this evolving threat.
Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved