×

Irish Information Security Forum

ALERT! : Backdoor Malware in Android-Based TV Boxes

 

Recently, security researchers uncovered a significant malware infection affecting approximately 1.3 million Android-based TV boxes globally¹. The malware, identified as Android.Vo1d, has created a backdoor in these devices, allowing attackers to remotely install and execute additional malicious software¹².

 

The Android.Vo1d malware embeds itself within the system storage area of the affected devices. The Vo1d malware runs scripts that enable it to survive rebooting and hence this persistence is what provides it with a “backdoor” into the infected system.This strategic placement enables it to download and install third-party software upon receiving commands from a command-and-control (C2) server¹. The exact attack vector remains undetermined, but researchers speculate that it could involve:

 

  • Exploitation of OS Vulnerabilities: The malware might exploit known vulnerabilities in outdated versions of the Android operating system to gain root privileges¹.
  • Unofficial Firmware: Devices running unofficial firmware with built-in root access could be particularly susceptible².

 

Security firm Doctor Web reported  that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers.

 

Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

 

The compromised devices include various models running different versions of the Android Open Source Project (AOSP) firmware.

 

Notably, these devices are not Play Protect certified, meaning they haven't undergone Google's rigorous security and compatibility tests¹². Some of the affected models are:

  • R4 TV Box: Running Android 7.1.2 (Build NHG47K)
  • KJ-SMART4KVIP: Running Android 10.1 (Build NHG47K)
  • Generic TV Box: Running Android 12.1 (Build NHG47K)¹²

 

The malware has a widespread impact, with infections reported in nearly 200 countries. The highest concentration of affected devices is in Brazil, followed by significant numbers in Morocco, Pakistan, Saudi Arabia, and Russia².  The presence of Android.Vo1d in these devices poses severe security risks, including unauthorized data access and potential integration into larger botnets. Users are advised to:

 

  • Update Firmware**: Ensure that the device firmware is up-to-date to mitigate known vulnerabilities.
  • Verify Device Certification**: Use Play Protect certified devices to ensure compliance with security standards.
  • Install Security Software**: Consider installing reputable antivirus software to detect and remove malware¹².

 

 

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. (e.g. Versions 7.1, 10.1, and 12.1,  were released in 2016, 2019, and 2022).  Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes . The discovery of the Android.Vo1d malware highlights the vulnerabilities inherent in using outdated and uncertified firmware. It underscores the importance of maintaining up-to-date security practices to protect against evolving threats. 

 


References

 

(1) 1.3 million Android-based TV boxes backdoored ... - Ars Technica. https://arstechnica.com/security/2024/09/researchers-still-dont-know-how-1-3-million-android-streaming-boxes-were-backdoored/.
(2) Malware has infected 1.3 million Android TV boxes in 197 countries. https://www.techspot.com/news/104729-vo1d-malware-infects-13-million-android-tv-boxes.html.
(3) Over a million Android TV streaming boxes infected by Vo1d malware. https://bgr.com/tech/over-a-million-android-tv-streaming-boxes-infected-by-vo1d-malware/.
(4) 'Vo1d' Trojan Malware Infects 1.3 Million Android-Based TV Boxes .... https://www.pcmag.com/news/vo1d-trojan-malware-infects-13-million-android-tv-boxes-globally.
(5) 1.3 Million Android-Based TV Boxes Backdoored; Researchers Still Don't .... https://it.slashdot.org/story/24/09/13/2117242/13-million-android-based-tv-boxes-backdoored-researchers-still-dont-know-how.

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy  - Sponsorship  - Cybersecurity News Index  - Cybersecurity Resources  - X  - Produced by
LinkedIn Twitter