New Vo1d Backdoor Malware Infects Over 1.3 Million TV Streaming Boxes Across 200 Countries
- Research Firm Doctor Web discovered a new malware that has been targeting TV streaming boxes running on AOSP across Pakistan, Tunisia, Algeria, and many other countries.
- Devices that are running on outdated versions of the firmware with vulnerabilities are being targeted.
- Google also mentioned that these are off-brand devices, neither running on Android TV OS nor Play Protect certified.
A new Vo1d backdoor malware has infected over 1.3 million TV streaming boxes running on the Android Open Source Project (AOSP).
AOSP is an open-source operating system created by Google and can be used on mobile, streaming, and IoT devices.
The Android firmware that is being targeted includes:
- Android 7.1.2; R4 Build/NHG47K
- Android 12.1; TV BOX Build/NHG47K
- Android 10.1; KJ-SMART4KVIP Build/NHG47K
The campaign was discovered by France-based cybersecurity company Doctor Web. It found that more than 1.3 million devices have already been infected by this malware across 200 countries including Pakistan, Saudi Arabia, Tunisia, Malaysia, Algeria, etc.
The worst part is there are a number of variants of this malware, each equally dangerous. One thing that remains common among all is they can download and run executables when commanded to monitor specified directories.
The malware is located in the files wd and void, after which it is named.
- The basic process starts by modifying the install-recovery.sh, daemonsu, or replacing the debuggerd operating system files (these are all startup scripts commonly found in Android devices)
- The malware then uses these scripts for persistence and launches the Vo1d malware on boot.
- Some of the modules of the malware work together. For instance, the Android.Vo1d.1 module is responsible for Android. Vo1d.3's launch and activity. It can also restart the process if necessary.
- Along with that, it can also download and run executables when commanded so by the C&C server.
- Te Android.Vo1d.3 module does the same for Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run executables, just like its previous versions.
Researchers at Doctor Web are yet to confirm how the devices have been compromised but there are a few possibilities.
- The first one is that they were running outdated versions of the firmware with vulnerabilities.
- There could also be an attack carried out by an intermediate malware that's using operating system vulnerabilities to gain root privileges.
- There might also be some unofficial versions of the firmware that come with built-in root access.
So for now, users are recommended to update their firmware (if any updates are available) and avoid installing Android applications as APKs from third-party sites on Android.
Also, if they notice any unusual activity, the boxes should be immediately disconnected from the internet.
What Does Google Have to Say About This?Google has clarified that these devices were not running Android TV. These are some off-brand devices that are not Play Protect certified.
Play Protect-certified devices go through multiple rounds of testing to ensure it's safe to use. And since Google has no security or compatibility test results for these off-brand devices, it can't take any responsibility for them either.If a user wants to check whether their device is running on Android TV OS and Play Protect certified or not, they can visit the company's Android TV website where they will find the most up-to-date list of its official partners.
The post New Vo1d Backdoor Malware Infects Over 1.3 Million TV Streaming Boxes Across 200 Countries appeared first on The Tech Report.