Brazil, South Africa, Indonesia, Argentina, and Thailand have grow to be the targets of a marketing campaign that has contaminated Android TV units with a botnet malware dubbed Vo1d.
The improved variant of Vo1d has been discovered to embody 800,000 each day lively IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 nations. As of February 25, 2025, India has skilled a notable surge in an infection charge, growing from lower than 1% (3,901) to 18.17% (217,771).
“Vo1d has developed to boost its stealth, resilience, and anti-detection capabilities,” QiAnXin XLab stated. “RSA encryption secures community communication, stopping [command-and-control] takeover even when [the Domain Generation Algorithm] domains are registered by researchers. Every payload makes use of a novel Downloader, with XXTEA encryption and RSA-protected keys, making evaluation tougher.”
The malware was first documented by Physician Internet in September 2024 as affecting Android-based TV bins by way of a backdoor that is able to downloading further executables based mostly on directions issued by the command-and-control (C2) server.
It is not precisely clear how the compromises happen, though it is suspected to both contain some form of a provide chain assault or the usage of unofficial firmware variations with built-in root entry.
Google instructed The Hacker Information on the time that the contaminated “off-brand” TV fashions weren’t Play Defend-certified Android units and that they doubtless used supply code from the Android Open Supply Challenge (AOSP) code repository.
The newest iteration of the malware marketing campaign reveals that it is working at a large scale with an intent to facilitate the creation of a proxy community and actions like commercial click on fraud.
XLab theorized that the fast fluctuation within the botnet exercise is probably going as a consequence of its infrastructure being leased in particular areas to different legal actors as a part of what it stated is a “rental-return” cycle the place the bots are leased for a set time interval to allow unlawful operations, after which they be part of the bigger Vo1d community.
An evaluation of the newer model of the ELF malware (s63) has discovered that it is designed to obtain, decrypt, and execute a second-stage payload that is accountable for establishing communications with a C2 server.
The decrypted compressed bundle (ts01) comprises 4 information: set up.sh, cv, vo1d, and x.apk. It begins with the shell script launching the cv part, which, in flip, launches each vo1d and the Android app after set up.
The vo1d module’s major perform is to decrypt and cargo an embedded payload, a backdoor that is able to establishing communication with a C2 server and downloading and executing a local library.
“Its core performance stays unchanged,” XLab stated. “Nevertheless, it has undergone vital updates to its community communication mechanisms, notably introducing a Redirector C2. The Redirector C2 serves to offer the bot with the true C2 server deal with, leveraging a hardcoded Redirector C2 and a big pool of domains generated by a DGA to assemble an expansive community structure.”
For its half, the malicious Android app carries the bundle title “com.google.android.gms.secure” in what’s a transparent try and masquerade because the reliable Google Play Companies (“com.google.android.gms”) to fly below the radar. It units up persistence on the host by listening for the “BOOT_COMPLETED” occasion in order that it robotically runs after every reboot.
It is also engineered to launch two different parts which have an identical performance as that of the vo1d module. The assault chain paves the way in which for the the deployment of a modular Android malware named Mzmess that includes for 4 completely different plugins –
- Popa (“com.app.mz.popan”) and Jaguar (“com.app.mz.jaguarn”) for proxy companies
- Lxhwdg (“com.app.mz.lxhwdgn”), whose function stays unknown as a consequence of its C2 server being offline
- Spirit (“com.app.mz.spiritn”) for advert promotion and site visitors inflation
The dearth of infrastructural overlaps between Mzmess and Vo1d has raised the chance that the risk behind the malicious exercise could also be renting the service to different teams.
“At the moment, Vo1d is used for revenue, however its full management over units permits attackers to pivot to large-scale cyber assaults or different legal actions [such as distributed denial-of-service (DDoS) attacks],” XLab stated. “Hackers might exploit them to broadcast unauthorized content material.”