The Android.Vo1d malware embeds itself within the system storage area of the affected devices. The Vo1d malware runs scripts that enable it to survive rebooting and hence this persistence is what provides it with a “backdoor” into the infected system.This strategic placement enables it to download and install third-party software upon receiving commands from a command-and-control (C2) server¹. The exact attack vector remains undetermined, but researchers speculate that it could involve:
Security firm Doctor Web reported that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers.
Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.
Notably, these devices are not Play Protect certified, meaning they haven't undergone Google's rigorous security and compatibility tests¹². Some of the affected models are:
The malware has a widespread impact, with infections reported in nearly 200 countries. The highest concentration of affected devices is in Brazil, followed by significant numbers in Morocco, Pakistan, Saudi Arabia, and Russia². The presence of Android.Vo1d in these devices poses severe security risks, including unauthorized data access and potential integration into larger botnets. Users are advised to:
One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. (e.g. Versions 7.1, 10.1, and 12.1, were released in 2016, 2019, and 2022). Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes . The discovery of the Android.Vo1d malware highlights the vulnerabilities inherent in using outdated and uncertified firmware. It underscores the importance of maintaining up-to-date security practices to protect against evolving threats.
References
(1) 1.3 million Android-based TV boxes backdoored ... - Ars Technica. https://arstechnica.com/security/2024/09/researchers-still-dont-know-how-1-3-million-android-streaming-boxes-were-backdoored/.
(2) Malware has infected 1.3 million Android TV boxes in 197 countries. https://www.techspot.com/news/104729-vo1d-malware-infects-13-million-android-tv-boxes.html.
(3) Over a million Android TV streaming boxes infected by Vo1d malware. https://bgr.com/tech/over-a-million-android-tv-streaming-boxes-infected-by-vo1d-malware/.
(4) 'Vo1d' Trojan Malware Infects 1.3 Million Android-Based TV Boxes .... https://www.pcmag.com/news/vo1d-trojan-malware-infects-13-million-android-tv-boxes-globally.
(5) 1.3 Million Android-Based TV Boxes Backdoored; Researchers Still Don't .... https://it.slashdot.org/story/24/09/13/2117242/13-million-android-based-tv-boxes-backdoored-researchers-still-dont-know-how.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more