An Android TV Box is a small device that connects to your TV and allows you to access a wide range of online content, apps, and services.
It runs on the Android operating system, similar to smartphones and tablets, and provides a user-friendly interface for navigating and streaming content directly on your TV.
Cybersecurity analysts at Dr. Web recently, in August 2024, discovered that more than 1.3 million Android TV Boxes were hijacked by Android.Vo1d malware.
1.3 Million Android TV Box Hijacked
Android.Vo1d has infected approximately 1.3 million Android-based TV boxes across 197 countries.
This backdoor trojan employs advanced techniques to evade detection and establish persistence. It infiltrates the system storage area, modifying crucial files like install-recovery.sh and daemonsu.
The malware creates four new files in the device’s file system and here below we have mentioned them:-
- /system/xbin/vo1d
- /system/xbin/wd
- /system/bin/debuggerd
- /system/bin/debuggerd_real
Android.Vo1d’s components, “vo1d” and “wd,” are cleverly disguised to mimic legitimate system processes.
The trojan exploits root access to modify the install-recovery.sh script, ensuring it runs automatically at system startup. This enables the malware to hiddenly download and install additional malicious software when instructed by its operators.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Here below we have mentioned all the affected models:-
- R4 (Declared firmware version – Android 7.1.2; R4 Build/NHG47K)
- TV BOX (Declared firmware version – Android 12.1; TV BOX Build/NHG47K)
- KJ-SMART4KVIP (Declared firmware version – Android 10.1; KJ-SMART4KVIP Build/NHG47K)
The name “Vo1d” itself is a clever obfuscation, replacing the lowercase “l” in “vold” and is a legitimate Android system process. Besides this, the number “1,” makes it visually similar to the English word “void.”
This complicated infection strategy highlights the growing sophistication of mobile malware targeting smart devices beyond traditional smartphones.
Android.Vo1d exploits root access on Android devices, particularly targeting outdated versions like Android 7.1.
It employs multiple persistence methods by modifying system files, and its components include:-
- Android.Vo1d.1 (vo1d file): It manages activities and downloads executables from the Command and Control (C&C) server.
- Android.Vo1d.3 (wd module): It installs and launches the encrypted Android.Vo1d.5 daemon, monitors directories, and installs APK files.
- Android.Vo1d.5: It provides additional functionality.
All these components use the daemonsu file for root privileges and manipulate the debuggerd daemon by replacing it with a script to launch the wd component, Dr. Web said.
The malware also modifies the install-recovery.sh script to ensure autostart. Android.Vo1d’s spread was facilitated by outdated Android versions and users’ illusions about TV box security.
The geographical distribution of this malware includes Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. While the exact infection source remains unknown.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar