A newly identified Android malware family has infected roughly 1.3 million TV boxes that are running older versions of the mobile operating system, Doctor Web warns.
The malware, dubbed Vo1d, is a backdoor that can fetch and install additional software, based on commands received from its command-and-control (C&C) server.
The threat, Doctor Web discovered, drops its components in the system storage area, posing as legitimate OS components, and uses at least three methods to anchor itself to the system and ensure that it launches automatically when the device reboots.
Vo1d was seen leveraging its ability to write to the system directory to hook itself into an Android script that is executed at operating system launch, and which automatically runs specified components.
Additionally, the malware registers itself to a file responsible for providing root privileges, also with an autostart component, and replaces a daemon typically used to create reports on system errors with a script that launches a malicious component.
According to Doctor Web, one of the analyzed devices only contained the malicious script, likely because it was infected twice and the second infection completely removed the legitimate daemon file, thus breaking the error logging feature.
The backdoor’s main functionality is controlled by two separate components, one of which launches and oversees the other’s activity, restarting it if necessary, and can download and execute additional payloads if instructed by the C&C.
The second module installs and runs a daemon also capable of fetching and executing payloads, and monitors specified directories to install APKs found in them.
According to Doctor Web, Vo1d has infected roughly 1.3 million devices in 197 countries, with Brazil being affected the most. Numerous infections were also seen in Algeria, Argentina, Ecuador, Indonesia, Malaysia, Morocco, Pakistan, Russia, Saudi Arabia, and Tunisia.
The cybersecurity firm notes that Vo1d likely targets Android-based boxes due to their use of older Android versions that contain unpatched vulnerabilities, such as Android 7.1, 10, and 12.
Such vulnerable devices remain in use either because manufacturers chose not to use newer platform iterations, or because users may believe that TV boxes are not as exposed as other Android devices and may fail to install security software on them.
“The source of the TV boxes’ backdoor infection remains unknown. One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access,” Doctor Web notes.
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified,” a Google spokesperson told SecurityWeek.
*Updated with statement from Google.
Related: BingoMod Android RAT Wipes Devices After Stealing Money
Related: Many Android Apps Expose Users to Attacks Due to Failure to Patch Google Library
Related: Advanced Android Spyware Remained Hidden for Two Years