Brazil, South Africa, Indonesia, Argentina, and Thailand have grow to be the targets of a marketing campaign that has contaminated Android TV gadgets with a botnet malware dubbed Vo1d.
The improved variant of Vo1d has been discovered to embody 800,000 every day lively IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 international locations. As of February 25, 2025, India has skilled a notable surge in an infection fee, growing from lower than 1% (3,901) to 18.17% (217,771).
“Vo1d has advanced to boost its stealth, resilience, and anti-detection capabilities,” QiAnXin XLab said. “RSA encryption secures community communication, stopping [command-and-control] takeover even when [the Domain Generation Algorithm] domains are registered by researchers. Every payload makes use of a novel Downloader, with XXTEA encryption and RSA-protected keys, making evaluation tougher.”
The malware was first documented by Physician Internet in September 2024 as affecting Android-based TV bins by the use of a backdoor that is able to downloading further executables based mostly on directions issued by the command-and-control (C2) server.
It is not precisely clear how the compromises happen, though it is suspected to both contain some type of a provide chain assault or the usage of unofficial firmware variations with built-in root entry.
Google instructed The Hacker Information on the time that the contaminated “off-brand” TV fashions weren’t Play Defend-certified Android gadgets and that they seemingly used supply code from the Android Open Supply Mission (AOSP) code repository.
The newest iteration of the malware marketing campaign exhibits that it is working at an enormous scale with an intent to facilitate the creation of a proxy community and actions like commercial click on fraud.
XLab theorized that the speedy fluctuation within the botnet exercise is probably going as a consequence of its infrastructure being leased in particular areas to different prison actors as a part of what it mentioned is a “rental-return” cycle the place the bots are leased for a set time interval to allow unlawful operations, after which they be part of the bigger Vo1d community.
An evaluation of the newer model of the ELF malware (s63) has discovered that it is designed to obtain, decrypt, and execute a second-stage payload that is chargeable for establishing communications with a C2 server.
The decrypted compressed package deal (ts01) incorporates 4 recordsdata: set up.sh, cv, vo1d, and x.apk. It begins with the shell script launching the cv part, which, in flip, launches each vo1d and the Android app after set up.
The vo1d module’s main perform is to decrypt and cargo an embedded payload, a backdoor that is able to establishing communication with a C2 server and downloading and executing a local library.
“Its core performance stays unchanged,” XLab mentioned. “Nevertheless, it has undergone vital updates to its community communication mechanisms, notably introducing a Redirector C2. The Redirector C2 serves to supply the bot with the true C2 server handle, leveraging a hardcoded Redirector C2 and a big pool of domains generated by a DGA to assemble an expansive community structure.”
For its half, the malicious Android app carries the package deal title “com.google.android.gms.secure” in what’s a transparent try and masquerade because the legit Google Play Services (“com.google.android.gms”) to fly beneath the radar. It units up persistence on the host by listening for the “BOOT_COMPLETED” occasion in order that it robotically runs after every reboot.
It is also engineered to launch two different parts which have an analogous performance as that of the vo1d module. The assault chain paves the way in which for the the deployment of a modular Android malware named Mzmess that includes for 4 completely different plugins –
- Popa (“com.app.mz.popan”) and Jaguar (“com.app.mz.jaguarn”) for proxy companies
- Lxhwdg (“com.app.mz.lxhwdgn”), whose objective stays unknown as a consequence of its C2 server being offline
- Spirit (“com.app.mz.spiritn”) for advert promotion and visitors inflation
The dearth of infrastructural overlaps between Mzmess and Vo1d has raised the likelihood that the risk behind the malicious exercise could also be renting the service to different teams.
“Presently, Vo1d is used for revenue, however its full management over gadgets permits attackers to pivot to large-scale cyber assaults or different prison actions [such as distributed denial-of-service (DDoS) attacks],” XLab mentioned. “Hackers may exploit them to broadcast unauthorized content material.”
