Cybercriminals continue to enhance the capabilities of the botnet known as Vo1d, which has grown significantly over the past half a year.
In September 2024, Russian security firm Doctor Web warned that 1.3 million Android TV boxes around the world had been ensnared in the Vo1d botnet.
Chinese security company QiAnXin (QAX) has also monitored the threat and on Thursday reported seeing nearly 90 new samples of the malware. Its researchers have observed activity from roughly 800,000 unique IPs associated with the botnet every day, with a peak at nearly 1.6 million on January 14, 2025.
According to QiAnXin, the botnet has evolved in terms of stealth, resilience and anti-detection capabilities. Specifically, the cybercriminals are attempting to prevent command and control (C&C) domain takeover by using RSA encryption to secure communication.
The botnet’s resilience and flexibility have been enhanced through the use of hardcoded and DGA-based redirector C&C servers. In an effort to increase the difficulty of analyzing the malware, each payload now uses a unique downloader with XXTEA encryption and RSA-protected keys.
The Vo1d botnet has mainly been used for anonymous proxy services and for ad/click fraud. Proxy services can make a lot of money for cybercriminals, as demonstrated by the 911 S5 (Cloud Router) botnet, which helped its operators make $99 million.
However, such a big botnet could be abused for various other purposes as well, including massive DDoS attacks, as well as to broadcast unauthorized content to the large number of infected Android TV boxes.
Nearly a quarter of the Vo1d-infected devices are in Brazil, followed by South Africa (13%), Indonesia (10%), Argentina (5%), Thailand (3%), and China (3%) — infections have been seen across over 200 countries and regions.
As for how these Android TV devices are getting infected with the Vo1d malware, researchers believe it’s either through a supply chain attack (the malware is pre-installed by some manufacturers), or due to users failing to secure their devices and installing malicious software disguised as useful apps and tools.
QiAnXin researchers also reported finding some links to Bigpanzi, another botnet powered by a significant number of Android TV boxes.
UPDATE: Google has clarified that the impacted devices are using Android Open Source Project rather than the Google-developed Android TV operating system. A Google spokesperson also told SecurityWeek:
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”
Related: Botnet of 190,000 BadBox-Infected Android Devices Discovered
Related: Chinese Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts
