Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

1.3 Million Android TV Boxes Infected by Vo1d Malware

Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions.

A newly identified Android malware family has infected roughly 1.3 million TV boxes that are running older versions of the mobile operating system, Doctor Web warns.

The malware, dubbed Vo1d, is a backdoor that can fetch and install additional software, based on commands received from its command-and-control (C&C) server.

The threat, Doctor Web discovered, drops its components in the system storage area, posing as legitimate OS components, and uses at least three methods to anchor itself to the system and ensure that it launches automatically when the device reboots.

Vo1d was seen leveraging its ability to write to the system directory to hook itself into an Android script that is executed at operating system launch, and which automatically runs specified components.

Additionally, the malware registers itself to a file responsible for providing root privileges, also with an autostart component, and replaces a daemon typically used to create reports on system errors with a script that launches a malicious component.

According to Doctor Web, one of the analyzed devices only contained the malicious script, likely because it was infected twice and the second infection completely removed the legitimate daemon file, thus breaking the error logging feature.

The backdoor’s main functionality is controlled by two separate components, one of which launches and oversees the other’s activity, restarting it if necessary, and can download and execute additional payloads if instructed by the C&C.

The second module installs and runs a daemon also capable of fetching and executing payloads, and monitors specified directories to install APKs found in them.

Advertisement. Scroll to continue reading.

According to Doctor Web, Vo1d has infected roughly 1.3 million devices in 197 countries, with Brazil being affected the most. Numerous infections were also seen in Algeria, Argentina, Ecuador, Indonesia, Malaysia, Morocco, Pakistan, Russia, Saudi Arabia, and Tunisia.

The cybersecurity firm notes that Vo1d likely targets Android-based boxes due to their use of older Android versions that contain unpatched vulnerabilities, such as Android 7.1, 10, and 12.

Such vulnerable devices remain in use either because manufacturers chose not to use newer platform iterations, or because users may believe that TV boxes are not as exposed as other Android devices and may fail to install security software on them.

“The source of the TV boxes’ backdoor infection remains unknown. One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access,” Doctor Web notes.

“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified,” a Google spokesperson told SecurityWeek.

*Updated with statement from Google.

Related: BingoMod Android RAT Wipes Devices After Stealing Money

Related: Many Android Apps Expose Users to Attacks Due to Failure to Patch Google Library

Related: Advanced Android Spyware Remained Hidden for Two Years

Related: Android Malware Targets North Korean Deflectors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.