Brazil, South Africa, Indonesia, Argentina and Thailand became target Water.
The improved VO1D version has been found to cover 800,000 daily active IP, and Botnet is scalable 1590 on January 19, which covers 226 countries. As of February 25, 2025, India survived a significant increase in infection, increasing from less than 1% (3.901) to 18.17% (217 771).
“VO1D has developed to increase its resistance, stability and anti-visites,” Qianxin Xlab – Note. “RSA encryption provides networking, preventing (teams and control) absorption, even if (domain generation algorithm) is registered by researchers. Each useful load uses a unique bootloader, with XXTEA encryption and keys protected by RSA, which makes the analysis more complex.”
Malicious software was First documented Dector Web in September 2024. As an impact on Android television boxes using the back that is able to download additional executable files based on the Command-Control server (C2).
It is not quite clear how compromises are being conducted, although the supply chain attack or the use of unofficial firmware with built -in root access are suspected.
At the time, Google told The Hacker News that the infected “Off-Brand” television models did not reproduce Android certified Android, and that they probably used the source code from the Android Open Source Code (AOSP).
The latest Salware Pamply Iteration shows that it works on a large -scale scale to promote the creation of a proxy network and activities such as advertising, click fraud.
XLAB suggested that the rapid fluctuation of the botnet activity is probably due to the fact that its infrastructure, which is rented in certain regions, other criminal entities within what is said, is a “rental” cycle where the Bat is rented for the established period to provide illegal operations.
Analysis of the new ELF (S63) malware (S63) showed that it is designed to download, decipher and execute the useful load in the second stage, which is responsible for establishing a C2 server.
The decided compressed package (TS01) contains four files: install.sh, CV, VO1D and X.APK. It starts with the Shell script, which launches the CV component, which in turn launches both VO1D and the Android app after installation.
The main function of the VO1D module is to decipher and load the built -in useful load, the back that is able to establish a connection with the C2 server and download and perform the native library.
“Its basic functionality remains unchanged,” Xlab said. “However, it has postponed significant networking mechanisms, in particular, the introduction of the C2 redirect. Redirection C2 serves to provide a C2 real address, using a hard C2 redirect and a large domain pool obtained by DGA to build an exposition network architecture.”
For its part, the malicious Android app is the name of the package “com.google.android.Stable” in what is obvious to disguise as legal Google Play Services (“com.google.android.gms”) fly under the radars. It installs perseverance on the host, listening to the event “boot_completed” so that it automatically works after each reboot.
It is also designed to launch two other components that have a similar functionality, as well as the VO1D module. The attack network opens the way for deploying modular malicious Android software called Mzmess, which includes four different plugins –
- Popa (“com.app.mz.popan”) and jaguar (“com.app.mz.jaguarn”) for proxy -service
- Lxhwdg (“com.app.mz.lxhwdgn”), the purpose of which remains unknown due to the fact that its C2 server is offline
- Spirit (“com.app.Spirt”) to promote advertising and inflation
The lack of infrastructure overlappings between MZMESS and VO1D caused the fact that the threat of harmful activity may rent the service to other groups.
“Currently, VO1D is used to profit, but complete control of devices allows the attackers to turn to large-scale cyber-deposits or other criminal acts (such as common attacks of service (DDOS)),” Xlab said. “Hackers could use them to broadcast unauthorized content.”
