Android.Vo1d Malware
Approximately 1.3 million Android-based TV boxes, operating on outdated system versions and used across 197 countries, have been compromised by a newly discovered malware called Vo1d (also known as Void). This backdoor malware embeds its components in the system storage and can covertly download and install third-party applications upon receiving commands from attackers.
Most infections have been identified in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria and Indonesia.
Multiple Devices Targeted by the Vo1d Attack
The exact source of the infection remains unclear. Still, it's suspected to stem from either a prior compromise that allowed attackers to gain root privileges or the use of unofficial firmware versions with built-in root access.
The following TV models have been targeted in this campaign:
- KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
- R4 (Android 7.1.2; R4 Build/NHG47K)
- TV BOX (Android 12.1; TV BOX Build/NHG47K)
The attack involves replacing the '/system/bin/debuggerd' daemon file (the original file is renamed to 'debuggerd_real' as a backup) and adding two new files: '/system/xbin/vo1d' and '/system/xbin/wd.' These files contain the fraudulent code and run concurrently.
Google noted that the affected TV models were not Play Protect-certified Android devices and likely used source code from the Android Open Source Project (AOSP) repository.
The Cybercriminals Modified Android Files to Deliver Malware
Before Android 8.0, crashes were managed by the debuggerd and debuggerd64 daemons, as noted in Google's Android documentation. Starting with Android 8.0, 'crash_dump32' and 'crash_dump64' are spawned on demand.
As part of the malware campaign, two files that are typically part of the Android operating system – install-recovery.sh and daemonsu – were altered to execute the malware by launching the 'wd' module.
Cybersecurity researchers suggest that the malware authors likely attempted to disguise one of its components as the system program '/system/bin/vold' by naming it 'vo1d,' replacing the lowercase 'l' with the number '1' to create a similar appearance.
The 'vo1d' payload starts the 'wd' module and makes sure it remains active, while also downloading and running executables upon receiving commands from a command-and-control (C2) server. Additionally, it monitors specific directories, installing any APK files it finds.
Unfortunately, it's not unusual for budget device manufacturers to use outdated OS versions and market them as more recent to make their products seem more appealing.