Brazil, South Africa, Indonesia, Argentina, and Thailand have develop into the targets of a marketing campaign that has contaminated Android TV units with a botnet malware dubbed Vo1d.
The improved variant of Vo1d has been discovered to embody 800,000 each day energetic IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 nations. As of February 25, 2025, India has skilled a notable surge in an infection fee, rising from lower than 1% (3,901) to 18.17% (217,771).
“Vo1d has advanced to boost its stealth, resilience, and anti-detection capabilities,” QiAnXin XLab stated. “RSA encryption secures community communication, stopping [command-and-control] takeover even when [the Domain Generation Algorithm] domains are registered by researchers. Every payload makes use of a novel Downloader, with XXTEA encryption and RSA-protected keys, making evaluation tougher.”
The malware was first documented by Physician Internet in September 2024 as affecting Android-based TV containers via a backdoor that is able to downloading extra executables based mostly on directions issued by the command-and-control (C2) server.
It isn’t precisely clear how the compromises happen, though it is suspected to both contain some type of a provide chain assault or using unofficial firmware variations with built-in root entry.
Google instructed The Hacker Information on the time that the contaminated “off-brand” TV fashions weren’t Play Defend-certified Android units and that they seemingly used supply code from the Android Open Supply Undertaking (AOSP) code repository.
The most recent iteration of the malware marketing campaign reveals that it is working at an enormous scale with an intent to facilitate the creation of a proxy community and actions like commercial click on fraud.
XLab theorized that the fast fluctuation within the botnet exercise is probably going because of its infrastructure being leased in particular areas to different prison actors as a part of what it stated is a “rental-return” cycle the place the bots are leased for a set time interval to allow unlawful operations, after which they be part of the bigger Vo1d community.
An evaluation of the newer model of the ELF malware (s63) has discovered that it is designed to obtain, decrypt, and execute a second-stage payload that is answerable for establishing communications with a C2 server.
The decrypted compressed bundle (ts01) accommodates 4 recordsdata: set up.sh, cv, vo1d, and x.apk. It begins with the shell script launching the cv element, which, in flip, launches each vo1d and the Android app after set up.
The vo1d module’s main perform is to decrypt and cargo an embedded payload, a backdoor that is able to establishing communication with a C2 server and downloading and executing a local library.
“Its core performance stays unchanged,” XLab stated. “Nonetheless, it has undergone vital updates to its community communication mechanisms, notably introducing a Redirector C2. The Redirector C2 serves to offer the bot with the true C2 server handle, leveraging a hardcoded Redirector C2 and a big pool of domains generated by a DGA to assemble an expansive community structure.”
For its half, the malicious Android app carries the bundle identify “com.google.android.gms.secure” in what’s a transparent try and masquerade because the reliable Google Play Providers (“com.google.android.gms”) to fly below the radar. It units up persistence on the host by listening for the “BOOT_COMPLETED” occasion in order that it mechanically runs after every reboot.
It is also engineered to launch two different elements which have an analogous performance as that of the vo1d module. The assault chain paves the way in which for the the deployment of a modular Android malware named Mzmess that comes with for 4 totally different plugins –
- Popa (“com.app.mz.popan”) and Jaguar (“com.app.mz.jaguarn”) for proxy providers
- Lxhwdg (“com.app.mz.lxhwdgn”), whose objective stays unknown because of its C2 server being offline
- Spirit (“com.app.mz.spiritn”) for advert promotion and visitors inflation
The dearth of infrastructural overlaps between Mzmess and Vo1d has raised the likelihood that the risk behind the malicious exercise could also be renting the service to different teams.
“At the moment, Vo1d is used for revenue, however its full management over units permits attackers to pivot to large-scale cyber assaults or different prison actions [such as distributed denial-of-service (DDoS) attacks],” XLab stated. “Hackers may exploit them to broadcast unauthorized content material.”
