Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.
The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 countries. As of February 25, 2025, India has experienced a notable surge in infection rate, increasing from less than 1% (3,901) to 18.17% (217,771).
“Vo1d has evolved to enhance its stealth, resilience, and anti-detection capabilities,” QiAnXin XLab said. “RSA encryption secures network communication, preventing [command-and-control] takeover even if [the Domain Generation Algorithm] domains are registered by researchers. Each payload uses a unique Downloader, with XXTEA encryption and RSA-protected keys, making analysis harder.”
The malware was first documented by Doctor Web in September 2024 as affecting Android-based TV boxes by means of a backdoor that’s capable of downloading additional executables based on instructions issued by the command-and-control (C2) server.
It’s not exactly clear how the compromises take place, although it’s suspected to either involve some kind of a supply chain attack or the use of unofficial firmware versions with built-in root access.
Google told The Hacker News at the time that the infected “off-brand” TV models were not Play Protect-certified Android devices and that they likely used source code from the Android Open Source Project (AOSP) code repository.
The latest iteration of the malware campaign shows that it’s operating at a massive scale with an intent to facilitate the creation of a proxy network and activities like advertisement click fraud.
XLab theorized that the rapid fluctuation in the botnet activity is likely due to its infrastructure being leased in specific regions to other criminal actors as part of what it said is a “rental-return” cycle where the bots are leased for a set time period to enable illegal operations, after which they join the larger Vo1d network.
An analysis of the newer version of the ELF malware (s63) has found that it’s designed to download, decrypt, and execute a second-stage payload that’s responsible for establishing communications with a C2 server.
The decrypted compressed package (ts01) contains four files: install.sh, cv, vo1d, and x.apk. It starts with the shell script launching the cv component, which, in turn, launches both vo1d and the Android app after installation.
The vo1d module’s primary function is to decrypt and load an embedded payload, a backdoor that’s capable of establishing communication with a C2 server and downloading and executing a native library.
“Its core functionality remains unchanged,” XLab said. “However, it has undergone significant updates to its network communication mechanisms, notably introducing a Redirector C2. The Redirector C2 serves to provide the bot with the real C2 server address, leveraging a hardcoded Redirector C2 and a large pool of domains generated by a DGA to construct an expansive network architecture.”
For its part, the malicious Android app carries the package name “com.google.android.gms.stable” in what’s a clear attempt to masquerade as the legitimate Google Play Services (“com.google.android.gms”) to fly under the radar. It sets up persistence on the host by listening for the “BOOT_COMPLETED” event so that it automatically runs after each reboot.
It’s also engineered to launch two other components that have a similar functionality as that of the vo1d module. The attack chain paves the way for the the deployment of a modular Android malware named Mzmess that incorporates for four different plugins –
- Popa (“com.app.mz.popan”) and Jaguar (“com.app.mz.jaguarn”) for proxy services
- Lxhwdg (“com.app.mz.lxhwdgn”), whose purpose remains unknown due to its C2 server being offline
- Spirit (“com.app.mz.spiritn”) for ad promotion and traffic inflation
The lack of infrastructural overlaps between Mzmess and Vo1d has raised the possibility that the threat behind the malicious activity may be renting the service to other groups.
“Currently, Vo1d is used for profit, but its full control over devices allows attackers to pivot to large-scale cyber attacks or other criminal activities [such as distributed denial-of-service (DDoS) attacks],” XLab said. “Hackers could exploit them to broadcast unauthorized content.”
