Brazil, South Africa, Indonesia, Argentina, and Thailand have all been the goals of a strategy that has spread a bot malware known as Vo1d to Android Television devices.
The enhanced version of Vo1d has 800, 000 daily effective IP addresses, with a 226-country global population that reached 1, 590, 299 on January 19, 2025. As of February 25, 2025, India has experienced a notable surge in infection rate, increasing from less than 1 % (3, 901 ) to 18.17 % ( 217, 771 ).
According to QiAnXin XLab,” Vo1d has evolved to improve its cunning, endurance, and anti-detection capabilities.” Despite the fact that [the Domain Generation Algorithm ] domains are registered by researchers,” RS A encryption secures network communication and prevents]command-and-control ] takeover.” Making study more difficult, each payload uses a special Download with XXTEA encryption and RSA-protected keys.
Doctor Web first identified the malware in September 2024 as affecting Android-based TV boxes by means of a backdoor that can download additional executables based on instructions from the command-and-control ( C2 ) server.
Although it’s thought to be one of a supply chain strike or the use of illegal device versions with built-in root access, it’s not entirely clear how the compromises occur.
The infected “off-brand” TV models were not Play Protect-certified Android devices, according to Google, who informed The Hacker News at the time that they most likely used source code from the Android Open Source Project ( AOSP) code repository.
The most recent incarnation of the malware campaign demonstrates that it is running on a large scale to make it easier to create a substitute network and engage in fraud like click-and-click.
According to XLab, the quick fluctuation in botnet activity is most likely a result of the facilities being leased to additional criminal actors in particular regions as part of what it called a “rental-return” cycle, where the bots are leased for a specific time period to enable illegal operations before joining the larger Vo1d network.
A second-stage payload that is responsible for communicating with a C2 server was discovered in a recent analysis of the older version of the ELF malware ( s63 ).
Install is one of the four files in the decrypted compressed package (ts01 ). rs, candidate, vo1d, and by. apk. After installation, the vo1d and the Android apps are both launched by the shell text that launches the candidate component.
The major function of the vo1d module is to decrypt and load an integrated payload, a backdoor that can communicate with a C2 server and download and run a local library.
Its fundamental operation is unchangeable, according to XLab. It has, however, undergone significant changes to its channel communication mechanisms, most notably the introduction of a Redirector C2. The Redirector C2 uses a defined Redirector C2 and a sizable share of domains created by a DGA to create an expansive community infrastructure to provide the app with the actual C2 server address.
The harmful Android game, for its part, bears the bundle name” com.com.” Google. iphone. gms. ” stable” in a clear attempt to pass for the legitimate (” com.com.com. Google. samsung. GSMs) to travel under the radar. By listening for the” BOOT_COMPLETED” celebration, it establishes boldness on the number and immediately runs after each reset.
Additionally, it was designed to release two additional components with similar features to the vo1d module. The harm chain opens the door to the deployment of a flexible Android malware called Mzmess that includes for four distinct plugins.
- Popa (” web. game. mz. Jaguar (” com. com.” ) and Popan (” com. game. mz. “jaguarn” ) for proxy services
- Lxhwdg (” web. game. mz. lxhwdgn (” ), whose purpose is unknown as a result of its C2 server being offline,
- Nature (” web. game. mz. ” spiritn” ) for ad promotion and traffic growth
Mzmess and Vo1d’s lack of infrastructure overlaps raises the possibility that the danger originating from the harmful activity may be renting the service to various organizations.
Vo1d is currently used for profit, but it has complete authority over its devices, making it possible for hackers to use it to launch massive cyberattacks or engage in other criminal activity, such as distributed denial-of-service ( DDoS ) attacks, according to XLab. Hackers could use them to broadcast unlicensed material.