Nearly 1.3 million Android TV boxes running outdated versions of the operating system and owned by users in 197 countries have been infected by a new malware called Vo1d (aka Void).
“This is a backdoor that places its components in the system storage and is capable of secretly downloading and installing third-party software at the command of attackers,” Russian anti-virus vendor Doctor Web said. said in a report released today.
Most of the infections were found in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria and Indonesia.
It is currently unknown what the source of the infection is, although it is suspected that it could be related to either a previous root hack or the use of unofficial firmware versions with built-in root access.
The following TV models have been targeted as part of the campaign –
- KJ-SMART4KVIP (Android 10.1; build KJ-SMART4KVIP/NHG47K)
- R4 (Android 7.1.2; build R4/NHG47K)
- TV BOX (Android 12.1; build TV BOX/NHG47K)
The attack involves replacing the daemon file “/system/bin/debuggerd” (with the original file being moved to a backup file called “debuggerd_real”), as well as introducing two new files – “/system/xbin/vo1d”. ” and “/system/xbin/wd” – which contain malicious code and run simultaneously.
“Prior to Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons,” Google notes in its Android documentation. “On Android 8.0 and above, crash_dump32 and crash_dump64 are created when needed.”
Two different files that are part of the Android operating system – install-recovery.sh and daemonsu – were modified as part of the campaign to trigger the launch of the malware by running the “wd” module.
“The authors of the Trojan probably tried to disguise one of its components as the system program “/system/bin/vold” by giving it a look-alike name of “vo1d” (replacing the lowercase letter “l” with the number “1”.”), – said “Dr. Web.”
The “vo1d” payload, in turn, starts “wd” and keeps it running, and downloads and runs executables as instructed by the command and control server (C2). Additionally, it stores tabs in specified directories and installs the APK files it finds in them.
“Unfortunately, it is not uncommon for manufacturers of budget devices to use older versions of the OS and pass them off as more modern in order to make them more attractive,” the company said.
