Approximately 1.3 million Android-based TV boxes running an older version of the operating system, owned by users in 197 countries, have been infected with a new malware called Vo1d (aka Void).
“This is a backdoor capable of placing components in the system’s storage area and covertly downloading and installing third-party software at the attacker’s command,” Russian antivirus vendor Doctor Web said in a report published today.
The majority of infections have been confirmed in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria and Indonesia.
The source of the infection is currently unknown, but it is suspected to be related to previous compromises that allowed users to gain root privileges, or the use of unofficial firmware versions with built-in root access.
The following TV models are eligible for the campaign:
- KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
- R4 (Android 7.1.2; R4 build/NHG47K)
- TV BOX (Android 12.1, TV BOX Build/NHG47K)
The attack involves replacing the “/system/bin/debuggerd” daemon file (moving the original to a backup file called “debuggerd_real”) and introducing two new files (“/system/xbin/vo1d” and “/system/xbin/wd”) that contain malicious code and run simultaneously.
“Prior to Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons,” Google says in the Android documentation. “Starting with Android 8.0, crash_dump32 and crash_dump64 are generated as needed.”
Two different files that shipped as part of the Android operating system – install-recovery.sh and daemonsu – were modified as part of the campaign to launch the ‘wd’ module and trigger the malware’s execution.
“It appears that the Trojan’s creators tried to disguise one of its components as the system program ‘/system/bin/vold’, giving it a similar name: ‘vo1d’ (replacing the lowercase letter ‘l’ with the number ‘1’),” Doctor Web said.
The “vo1d” payload then launches “wd” to ensure it is persistent, downloads and runs executables as instructed by the command and control (C2) server, and monitors designated directories and installs APK files it finds there.
“Unfortunately, it is not uncommon for low-cost device manufacturers to take older OS versions and market them as more current versions to make them appear more attractive,” the company said.
update
Google told The Hacker News that the affected TV models are not Play Protect certified Android devices and likely use source code from the Android Open Source Project code repository. Here is the company’s full statement:
“These non-branded devices found to be infected are Play Protect Certified Android DevicesIf a device is not Play Protect Certified, Google does not keep a record of its security and compatibility test results. Play Protect Certified Android devices have undergone extensive testing to ensure quality and user safety. To find out if your device has Android TV OS and is Play Protect Certified, Android TV website We provide an up-to-date list of partners. These steps Check if your device is Play Protect Certified.”
