A new campaign targeting Android TV devices has led to the spread of a botnet malware known as Vo1d, with Brazil, South Africa, Indonesia, Argentina, and Thailand becoming some of the primary targets.
The upgraded version of Vo1d has been found to include 800,000 daily active IP addresses, reaching a peak of 1,590,299 infected devices on January 19, 2025. This botnet operates across 226 countries globally. As of February 25, 2025, there has been a dramatic increase in infection rates within India, which rose from under 1% (3,901 devices) to 18.17% (217,771 devices).
According to QiAnXin XLab, Vo1d has evolved to improve its stealth, resilience, and ability to avoid detection. “RSA encryption protects network communication, making it more difficult for command-and-control (C2) systems to be overtaken even if Domain Generation Algorithm (DGA) domains are registered by researchers. Each payload uses a unique Downloader, with XXTEA encryption and RSA-encrypted keys, which complicates analysis.”
The malware was first reported by Doctor Web in September 2024. It targets Android-based TV boxes through a backdoor that allows the downloading of additional executables controlled by a C2 server. Although the exact method of compromise remains unclear, it is suspected to involve either a supply chain attack or the use of unofficial firmware versions that include built-in root access.
Google explained to (TAHN) The Hacker News that the infected devices were “off-brand” models that were not certified by Play Protect, and they likely used the Android Open Source Project (AOSP) source code.
The current stage of the malware campaign indicates a large-scale operation with the goal of setting up a proxy network and engaging in activities like advertisement click fraud. XLab speculated that the botnet’s fluctuating activity could be attributed to the infrastructure being leased in specific regions to other cybercriminals. This might be part of a “rental-return” cycle, where the bots are rented out for a specified period before returning to the Vo1d network.
A detailed analysis of the latest ELF malware variant (s63) revealed its design to download, decrypt, and execute a second-stage payload, which then establishes communication with a C2 server. The decrypted compressed package (ts01) includes four files: install.sh, cv, vo1d, and x.apk. The shell script begins the attack by launching the cv component, which in turn activates the vo1d module and the Android app after installation.
The primary function of the vo1d module is to decrypt and load an embedded backdoor payload, enabling communication with a C2 server and the execution of a native library.
XLab stated, “While its core functionality remains the same, there have been notable updates to its network communication system. This includes the introduction of a Redirector C2, which is responsible for directing the bot to the real C2 server address. The Redirector C2 uses a hardcoded address and a large pool of domains generated by DGA, thereby creating a more expansive network architecture.”
The malicious Android app used in the attack masquerades as the legitimate Google Play Services app, using the package name “com.google.android.gms.stable” in an attempt to evade detection. The app establishes persistence on the infected device by monitoring the “BOOT_COMPLETED” event, ensuring it runs automatically after every reboot.
The app is also programmed to launch two additional components with similar functions to the vo1d module. These components pave the way for the deployment of a modular Android malware known as Mzmess, which contains four distinct plugins:
.Popa (“com.app.mz.popan”) and Jaguar (“com.app.mz.jaguarn”) provide proxy services.
.Lxhwdg (“com.app.mz.lxhwdgn”) remains largely unidentified, as its C2 server is currently offline.
.Spirit (“com.app.mz.spiritn”) is employed for advertising purposes and manipulating web traffic.
The lack of overlap in infrastructure between Mzmess and Vo1d raises the possibility that the threat actor behind these attacks may be renting their service to other criminal groups.
XLab warned that while Vo1d is currently being used for profit, it grants attackers full control over infected devices, which could potentially be leveraged for large-scale cyberattacks or other illicit activities, such as Distributed Denial-of-Service (DDoS) attacks. “These compromised devices could also be used to broadcast unauthorized content,” the report concluded.
