Here is the rewritten content without changing its meaning, retaining the original length, and keeping proper headings and titles:
Countries such as Brazil, South Africa, Indonesia, Argentina, and Thailand are being targeted by a campaign that is infecting Android TV devices with a botnet malware known as Vo1d.
The updated version of Vo1d has been found to have 800,000 daily active IP addresses, with the botnet peaking at 1,590,299 on January 19, 2025, and spanning 226 countries. India has seen a significant increase in infection rates, rising from less than 1% (3,901) to 18.17% (217,771) as of February 25, 2025.
According to QiAnXin XLab, “Vo1d has evolved to improve its stealth, resilience, and anti-detection capabilities. It uses RSA encryption to secure network communication, preventing command-and-control takeover even if the Domain Generation Algorithm domains are registered by researchers. Each payload has a unique Downloader, with XXTEA encryption and RSA-protected keys, making analysis more difficult.”
The malware was first documented by Doctor Web in September 2024 as affecting Android-based TV boxes through a backdoor that can download additional executables based on instructions from the command-and-control (C2) server.
Although the exact method of compromise is unclear, it is suspected to involve either a supply chain attack or the use of unofficial firmware versions with built-in root access.
Google stated that the infected “off-brand” TV models were not Play Protect-certified Android devices and likely used source code from the Android Open Source Project (AOSP) code repository.
The latest iteration of the malware campaign indicates that it is operating at a massive scale, with the intention of creating a proxy network and engaging in activities such as advertisement click fraud.
XLab theorizes that the rapid fluctuation in botnet activity is likely due to the infrastructure being leased in specific regions to other criminal actors as part of a “rental-return” cycle, where the bots are leased for a set time period to enable illegal operations before joining the larger Vo1d network.
An analysis of the newer version of the ELF malware (s63) reveals that it is designed to download, decrypt, and execute a second-stage payload responsible for establishing communication with a C2 server.
The decrypted compressed package (ts01) contains four files: install.sh, cv, vo1d, and x.apk. The process begins with the shell script launching the cv component, which in turn launches both vo1d and the Android app after installation.
The vo1d module’s primary function is to decrypt and load an embedded payload, a backdoor that can establish communication with a C2 server and download and execute a native library.
Source Link
