These Android TV boxes are infected by Vo1d malware

Hotstar in UAE
Hotstar in UAE

Attention Android TV box users! There is new malware out there. However, you don’t have to worry if your device is officially certified by Play Protect. The malware, known as Vo1d, directly targets Android streaming devices running older versions of the software.

1.3 million Android streaming boxes infected by Vo1d malware

Cybersecurity experts from Dr.Web found around 1.3 million Android streaming boxes infected with Vo1d. These TV boxes are present in 197 countries worldwide. The list of most affected countries includes Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia. The malware is “capable of secretly downloading and installing third-party software,” according to the report from the Russian virus development team.

Vo1d takes advantage of security holes in older versions of Android TV that allow it to gain root access. It’s also present on some devices that come with root access enabled by default. The malware installs itself on sensitive internal storage partitions, which gives it certain privileges. The malware first replaces the “/system/bin/debuggerd” daemon file. Then, it downloads two infected files and places them in “/system/xbin/vo1d” and “/system/xbin/wd.”

TV box models infected run Android 7 and older

The Vo1d developers (of unknown origin) directly targeted the following Android streaming devices: KJ-SMART4KVIP (Android 10.1; build/NHG47K), R4 (Android 7.1.2; build/NHG47K), and TV BOX (Android 12.1; build/NHG47K).

Vo1d exploits a vulnerability found in versions older than Android 8.0. Interestingly, the list of infected devices includes models allegedly running newer versions, such as Android 10 or even Android 12. However, that’s because certain manufacturers of cheap Android TV boxes camouflage the actual underlying Android version to make it look like a newer one, using it as a sales pitch.

The malware cannot function on Android 8 or later due to a different crash handling approach in which the debuggerd and debuggerd64 daemons become irrelevant. Instead, new crash_dump32 and crash_dump64 daemons are spawned “as needed,” Google’s documentation says. Furthermore, the malware’s name is not chosen at random. There’s a “/system/bin/vold” path on older versions of Android. Vo1d would reside in that path, replacing “vold” with a similar named file in an attempt to avoid detection.

Devices with Play Protect certification are safe

That said, Google confirmed that the infected devices are not Play Protect certified. Instead, the developers would have resorted to AOSP code to compile the OS. Google’s security systems would likely have detected the malware during review. This is an example of the risks of resorting to products of dubious origin in order to save some money. It’s crucial to exercise caution when dealing with devices that have an internet connection and store sensitive personal data. So, it is better to resort to more well-known products that are less likely to appear in news stories about malware attacks.

2024-09-14 15:06:31