Brazil, South Africa, Indonesia, Argentina and Thailand are targeting campaigns that have infected Android TV devices with botnet malware called VO1D.
The improved variant of VO1D is known to include 800,000 active IP addresses daily, with botnets scaling a peak of 1,590,299 on January 19, 2025. As of February 25, 2025, India had experienced a significant surge in infection rates, rising to below 1% (3,901) (217,771).
“VO1D has evolved to increase stealth, resilience and prevention capabilities,” Qianxin XLAB said. “RSA encryption protects and prevents network communications [command-and-control] Even if it’s a takeover [the Domain Generation Algorithm] The domain is registered by the researcher. Each payload uses a unique downloader with XXTEA encryption and RSA protection keys to make analysis difficult. ”
It was first documented by Doctor Web that the malware would affect Android-based TV boxes in September 2024, using a backdoor that allows you to download additional executables based on instructions issued by the Command and Control (C2) server.
It is not clear how the compromise will occur, but it is suspected to include the type of supply chain attack and the use of an unofficial firmware version with built-in root access.
At the time, Google told Hacker News that the infected “unbranded” TV models were not playing Protect-certified Android devices and likely used the source code from the Android Open Source Project (AOSP) code repository.
The latest iterations of malware campaigns show that they are operating at scale with intent to facilitate the creation of proxy networks and to promote activities such as ad click fraud.
XLAB theorized that rapid fluctuations in botnet activity are caused by the bot being leased for a set period of time, allowing illegal operations and joining a larger VO1D network, as part of the “rental return” cycle, as its infrastructure is leased to other criminals, as it is leased to a set period of time, allowing for illegal operations.
Analysis of a new version of ELF malware (S63) reveals that it is designed to download, decrypt and run the second stage payload, which is responsible for establishing communication with the C2 server.
The decrypted compressed package (TS01) contains four files: install.sh, cv, vo1d, and x.apk. This starts with a shell script that launches the CV component and launches both the VO1D and the Android app after installation.
The main function of the VO1D module is to establish communication with the C2 server and decrypt and load the embedded payload, a backdoor that allows you to download and run native libraries.
“That core functionality remains the same,” Xlab said. “However, we have received significant updates to our network communication mechanisms, particularly implementing Redirector C2. Redirector C2 provides bots with real C2 server addresses and leverages a large pool of domains generated by hardcoded redirector C2 and DGA to build a vast network architecture.”
For that part, the package name “com.google.android.gms.stable” for malicious Android apps is a clear attempt to fly a legitimate Google Play service (“com.google.android.gms”) under radar. Listening for the “boot_completed” event will set host persistence and run automatically after each reboot.
It is also designed to launch two other components that have similar functionality to the VO1D module. The attack chain paves the way for the deployment of modular Android malware named Mzmess built into four different plugins –
Popa (“com.app.mz.popan”) and jaguar (“com.app.mz.jaguarn”) proxy services lxhwdg (“com.app.mz.lxhwdgn”).
The lack of infrastructure duplication between MZMESS and VO1D has increased the likelihood that the threat behind malicious activities is renting services to other groups.
“Currently, VO1D is used for profit, but with full control of the device, attackers can challenge large-scale cyberattacks and other criminal activities. [such as distributed denial-of-service (DDoS) attacks]”Xlab said.
Source link
