Researchers still don’t know what caused the recently discovered malware infection, which has affected around 1.3 million streaming devices running the open-source version of Android in roughly 200 countries.
Security firm DoctorWeb reported Thursday that the malware, dubbed Android.Vo1d, had installed a backdoor on Android-based boxes and placed malicious components in the system’s storage area, ready to be updated with additional malware by a command-and-control server at any time. A Google representative said the infected devices were running an operating system based on the Android Open Source Project, a version controlled by Google that is different from the proprietary version of Android TV that is restricted to licensed device makers.
Dozens of variations
Although Doctor Web has a good understanding of Vo1d and its extraordinary impact, the company’s researchers say they have not yet been able to identify the attack vector that led to the infection.
“At this time, the source of the backdoor infection in TV boxes is unknown,” Thursday’s post read. “One possible infection vector is a man-in-the-middle malware attack that exploits a vulnerability in the operating system to gain root privileges. Another possible vector is the use of an unofficial firmware version with built-in root access.”
Vo1d infects the following device models:
TV BOX Model Declared Firmware Version R4 Android 7.1.2; R4 Build/NHG47K TV BOX Android 12.1; TV BOX Build/NHG47K KJ-SMART4KVIP Android 10.1; KJ-SMART4KVIP Build/NHG47K
A possible cause of infection is that the device is running an outdated version, which is vulnerable to exploits that allow remote execution of malicious code: for example, versions 7.1, 10.1, and 12.1 were released in 2016, 2019, and 2022, respectively. Moreover, Doctor Web says that it is not uncommon for low-cost device manufacturers to install older versions of the OS on streaming boxes and market them as the latest models to make them appear more attractive.
Additionally, Google’s AndroidTV can only be modified by licensed device manufacturers, whereas the open source version can be freely modified by any device manufacturer, meaning that devices could be infected along the supply chain and already be compromised by the time they are purchased by end users.
“These non-branded devices found to be infected were not Play Protect-certified Android devices,” Google said in a statement. “If a device is not Play Protect-certified, Google has no record of its security and compatibility testing results. Play Protect-certified Android devices undergo thorough testing to ensure quality and user safety.”
According to the statement, you can check this link and follow the steps mentioned there to ensure that your device is running Android TV OS.
According to Doctor Web, there are dozens of Vo1d variants, each of which uses different code and embeds malware in slightly different storage areas, but achieves the same end result: connecting to an attacker-controlled server and installing a final component that can install additional malware on command. VirusTotal says most of the Vo1d variants were first uploaded to the malware identification site several months ago.
The researchers write:
In all these cases the infection symptoms were similar, so we will use one of the first requests we received as an example. The following objects were changed on the affected TV box:
installrecovery.sh Demons
Additionally, four new files have been added to the file system:
of vo1d and window These files are components of the Android.Vo1d Trojan that we discovered.
It appears that the Trojan’s creators tried to disguise one of its components as the system program /system/bin/vold, giving it a similar name “vo1d” (with the lowercase “l” replaced with the number “1”). The malicious program’s name comes from the name of this file. Moreover, its spelling is consonant-matching with the English word “void”.
of installrecovery.sh The file is a script present on most Android devices. It runs at the start of the operating system and contains data to auto-run specified elements. If the malware has root access and the ability to write to the file, /system By adding itself to this script in the system directory (or creating it from scratch if it does not exist on the system), the worm is able to anchor itself on the infected device. window The components in this file.
Modified install-recovery.sh file
Doctor Web
of Demons The file is present on many Android devices with root access. It is launched at the start of the operating system and provides the user with root privileges. Android.Vo1d is also registered in this file, window Module.
of Debugger The file is a daemon used to create reports about errors that occur. However, when the TV box is infected, this file window component.
of Debugger d_real The files in the cases we are considering are copies of scripts that were used to replace the real ones Debugger DoctorWeb experts say that the Trojan’s author copied the original file Debugger Relocate Debugger d_real To maintain functionality, the Trojan likely infected the device twice and therefore moved the files it had already replaced (i.e. the scripts). As a result, the device had two scripts from the Trojan and none of the actual script. Debugger Program files.
At the same time, other users who contacted us had a slightly different list of files on their infected devices.
Demons (of vo1d File Analog — Android.Vo1d.1); window (Android.Vo1d.3); Debugger (same script as above) Debugger d_real (Original file Debugger tool); installrecovery.sh (The script that loads the specified object).
After analyzing all the aforementioned files, we discovered that the authors used at least three different methods to establish Android.Vo1d on the system. installrecovery.sh and Demons Replace with file Debugger program, likely because the expectation was that at least one of the target files would be present on the infected system, as even manipulating one of the target files would ensure that the Trojan would automatically launch on any subsequent reboot of the device.
The main features of Android.Vo1d are: vo1d (Android.Vo1d.1) and window (Android.Vo1d.3) components work together: the Android.Vo1d.1 module is responsible for launching Android.Vo1d.3, controlling its activity and restarting the process if necessary. In addition, it can download and run executable files if instructed by the C&C server. The Android.Vo1d.3 module then installs and starts the Android.Vo1d.5 daemon, which is encrypted and stored on its body. This module can also download and run executable files. In addition, it monitors specified directories and installs APK files it finds there.
The geographic distribution of infections is widespread, with the highest number of confirmed cases in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria and Indonesia.
Expand / A world map listing the number of confirmed cases in each country.
Doctor Web
It’s not particularly easy for inexperienced users to tell if their device is infected unless they install a malware scanner. Doctor Web says that its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. Experienced users can check for signs of compromise here.
