More than 1.3 million Android-based TV boxes have been infected by malware, leaving security experts puzzled about the source of the breach. The malware, identified as Android.Vo1d, has backdoored these devices, turning them into components of a larger botnet. While the infected devices are running Android-based firmware, they differ from traditional Android TV systems, which are licensed and certified by Google. Security firm Doctor Web discovered this issue, but as of now, the precise attack vector remains unclear.
What’s Happening & Why This Matters
The malware attack involves off-brand Android-based TV devices that use the Android Open Source Project (AOSP). These devices have not passed the same rigorous security tests as Android TV devices, making them more vulnerable to attacks. The Vo1d malware has infected a wide range of devices in over 200 countries, turning them into bots controlled remotely through command-and-control (C2) servers.
Despite uncovering the malware’s mechanisms, researchers have yet to determine how these devices were initially compromised. One theory suggests the infection might have been spread via older, unsupported versions of the Android OS. These outdated operating systems may harbor vulnerabilities that allow hackers to exploit them remotely.
Infected models include:
- R4 (Android 7.1.2)
- TV BOX (Android 12.1)
- KJ-SMART4KVIP (Android 10.1)
The infection has been difficult to trace because these TV boxes are not Play Protect certified by Google, meaning they did not undergo strict compatibility and security testing. Users with these devices may be unknowingly running outdated or unofficial versions of Android, which leaves them exposed to potential threats. It is also suspected that some of these devices may have been compromised during manufacturing or supply chain processes.
The Android.Vo1d malware operates stealthily by embedding itself in core system files, disguising itself as essential components like install-recovery.sh and debuggerd. The malware remains hidden, enabling remote access and control from the attacker’s server. Moreover, Vo1d is capable of downloading additional malware, further increasing the potential damage to users’ devices.
In terms of geographic distribution, the largest numbers of infections have been identified in countries like Brazil, Morocco, Pakistan, and Saudi Arabia.
TF Summary: What’s Next
This discovery highlights the vulnerability of unlicensed Android-based devices and the risks they pose to consumers. While licensed devices undergo rigorous testing, uncertified ones may easily be manipulated. For users, it’s essential to be cautious when purchasing Android-based devices, ensuring they are Play Protect certified and updated regularly. Security firms continue investigating the origins of the Android.Vo1d malware, but until then, users should use malware detection tools to safeguard their devices.
— Text-to-Speech (TTS) provided by gspeech