Nearly 1.3 million Android-based TV boxes, running outdated versions of the operating system and used in 197 countries, have been compromised by a new malware called Vo1d (also known as Void).
“This malware is a backdoor that embeds its components into the system storage and can secretly download and install third-party software when commanded by attackers,” Russian antivirus company Doctor Web revealed in a report published today.
The majority of the infections have been found in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.
The exact source of the infection remains unclear, but it is suspected that it may involve either a previous compromise allowing root access or the use of unofficial firmware versions with built-in root privileges.
The campaign has specifically targeted the following TV models:
- KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
- R4 (Android 7.1.2; R4 Build/NHG47K)
- TV BOX (Android 12.1; TV BOX Build/NHG47K)
The attack entails the substitution of the "/system/bin/debuggerd"
daemon file (with the original file moved to a backup file named “debuggerd_real”), as well as the introduction of two new files – "/system/xbin/vo1d" and "/system/xbin/wd"
– which contain the malicious code and operate concurrently.
According to Google’s Android documentation, “Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons. In Android 8.0 and higher, crash_dump32 and crash_dump64 are spawned as needed.”
As part of the malware campaign, two files in the Android operating system—install-recovery.sh and daemonsu—have been altered to trigger the malware’s execution by launching the “wd” module.
“To disguise one of its components as the system program '/system/bin/vold,'
the trojan’s creators likely renamed it to ‘vo1d,’ swapping the lowercase letter ‘l’ with the number ‘1’,” noted Doctor Web.
The “vo1d” payload, in turn, launches the “wd” module, ensuring it runs continuously while also downloading and executing additional files as instructed by a command-and-control (C2) server. Additionally, it monitors specified directories and automatically installs any APK files found within them.
“It is unfortunately common for budget device manufacturers to use outdated OS versions and present them as newer ones to make the devices seem more appealing,” the company added.