A new malware called Vo1d has infected nearly 1.3 million Android-based TV boxes, causing widespread concern for users in 197 countries.

 

The malware, which has infected outdated TV models running older versions of Android, was identified by Russian antivirus company Doctor Web.

Vo1d, also known as Void, has the potential to install third-party software on compromised devices without the user’s knowledge. This backdoor malware operates silently and is capable of downloading files on command, further spreading the infection.

Infection Spread and Target Countries

According to Doctor Web, the malware has heavily impacted users in countries such as Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia. These nations account for the majority of infected devices, although the total impact is global.

The infection spreads across several Android TV Devices, including:

• KJ-SMART4KVIP (Android 10.1)
• R4 (Android 7.1.2)
• TV BOX (Android 12.1)

These devices are vulnerable to the Vo1d malware, which infects them by replacing key system files with malicious versions and adding new executable files that facilitate the infection.

How the Vo1d Malware Works

Vo1d works by replacing the “/system/bin/debuggerd” file, a core system daemon, while renaming the original as “debuggerd_real” for backup. The malware adds two additional files, “/system/xbin/vo1d” and “/system/xbin/wd,” which contain the malicious code. The malware authors have cleverly disguised the name of their component as “vo1d,” a play on the system’s original “vold” daemon by replacing the “l” with a “1” to make it look similar.

Once installed, Vo1d starts running in the background, establishing a persistent connection to a command-and-control (C2) server. This server can issue commands to download and run additional executables on the compromised devices. The malware also monitors specific directories and automatically installs APK files it detects, adding to its infection capabilities.

Possible Sources of the Infection

At this stage, the exact method of infection is unclear. However, it is suspected that the devices were either compromised through prior vulnerabilities that allowed the attackers to gain root privileges, or users may have installed unofficial firmware with built-in root access, making it easier for the malware to take hold.

The use of outdated versions of Android OS plays a key role in the vulnerability of these devices. Before Android 8.0, system crashes were handled by the “debuggerd” daemons, which the malware exploits. In later versions, Google introduced “crash_dump32” and “crash_dump64” to handle crashes, making them less susceptible to this type of attack. Unfortunately, many budget devices still run older versions of Android, making them prime targets for malware like Vo1d.

We have seen similar instances in the past with various Streaming Apps and Boxes being infected, specifically “stock” boxes that run a modified version of Android OS.

We always preach the importance of safety when using these types of devices and one of the main reasons is due to their vulnerability for infection.

The Dangers of Cheap Android Boxes & Malware

Google Responds: No Play Protect Certification

In response to the Vo1d malware infections, Google has clarified that the infected devices were not Play Protect certified, meaning they did not undergo Google’s official security and compatibility tests. Google Play Protect ensures that devices meet Google’s standards for security and user safety.

Google said in a statement:

These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results.

The company further advised users to check if their devices are Play Protect certified by visiting the official Android TV website, where an updated list of certified partners is available.

Why Budget Android TV Boxes Are At Risk

One of the underlying reasons behind the spread of Vo1d is the practice of budget device manufacturers using outdated OS versions. These manufacturers often pass off older software as newer versions to make their products seem more attractive to consumers. This practice, however, leaves the devices vulnerable to security issues that have been addressed in more recent versions of the Android OS.

With older, unsupported software versions, these devices become easy targets for attackers who exploit known vulnerabilities. The Vo1d malware highlights the risks of using uncertified devices and the importance of staying up-to-date with security patches and firmware.

What Users Can Do

To avoid falling victim to Vo1d or other malware, users should:

• Purchase Play Protect certified Android devices.
• Regularly update their firmware to the latest version.
• Avoid unofficial firmware or rooting their devices unless absolutely necessary.
• Use antivirus software and a trustworthy VPN to protect their devices from potential threats.

Google encourages users to confirm whether their devices are Play Protect certified by visiting their Android TV website or checking directly in the device’s settings.

Wrapping Up

If you are a user of a “stock” Android TV Box, make sure you are properly protecting yourself with a VPN and other means of internet safety.

Those in the market for a device should proceed with caution when considering one of these boxes, and ultimately, opt for an alternative from a reputable supplier such as Google, MECOOL, or other vetted source.