Void captures over a million Android TV boxes

September 12, 2024

Experts from Doctor Web have discovered another case of Android-based TV box infection. The malware, called Android.Vo1dhas infected nearly 1.3 million user devices in 197 countries. It is a backdoor that places its components in the system repository and, when attackers execute this command, is able to secretly download and install third-party software.

In August 2024, Doctor Web was contacted by several users whose Dr.Web antivirus had detected changes in the system file area of ​​their device. The problem occurred on these models:

All these cases showed similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:

• installation-restore.sh
• demons

In addition, 4 new files have appeared in the file system:

• /system/xbin/vo1d
• /system/xbin/wd
• /system/bin/debuggerd
• /system/bin/debuggerd_real

The vo1d And wd files are the components of the Android.Vo1d Trojan horse we discovered.

The creators of the Trojan probably tried to disguise one of its components as the system program /system/bin/vold, by giving it a similar name “vo1d” (by replacing the lowercase letter “l” with the number “1”). The name of the malicious program comes from the name of this file. Moreover, this spelling is consistent with the English word “void”.

The installation-restore.sh file is a script present on most Android devices. It is executed when the operating system is started and contains data for automatic execution of the elements specified in it. If malware has root access and the ability to access the /system system directory, it can embed itself into the infected device by adding itself to this script (or by recreating the script from scratch if it is not present on the system). Android.Vo1d has registered the autostart for the wd component in this file.

The modified file install-recovery.sh

The demons file is present on many rooted Android devices. It is launched by the operating system when it boots and is responsible for granting root privileges to the user. Android.Vo1d also registered itself in this file, after it also set autostart for the wd modulate.

The debugged file is a daemon that is usually used to report on errors that have occurred. But when the tv box was infected, this file was replaced by the script that wd element.

The debuggerd_real file in the case we are looking at is a copy of the script that was used to create the real debugged file. Experts from Doctor Web believe that the creators of the trojan copied the original debugged be moved to debuggerd_real to maintain functionality. However, since the infection was likely to occur twice, the Trojan moved the already replaced file (i.e., the script). As a result, the device had two Trojan scripts and no real ones debugged program file.

At the same time, other users who contacted us had a slightly different list of files on their infected devices:

• demons (the vo1d file analog — Android.Vo1d.1);
• wd (Android.Vo1d.3);
• debugged (same script as described above);
• debuggerd_real (the original file of the debugged tool);
• installation-restore.sh (a script that loads the objects specified in it).

An analysis of all the above files showed that in order to Android.Vo1d in the system, its authors used at least three different methods: modification of the installation-restore.sh And demons files and replacement of the debugged program. They probably expected at least one of the target files to be present in the infected system, since manipulating even one of them would ensure successful automatic launch of the Trojan during subsequent device reboots.

Android.Vo1dThe main functionality is hidden in its vo1d (Android.Vo1d.1) And wd (Android.Vo1d.3) components that work together. The Android.Vo1d.1 module is responsible for Android.Vo1d.3‘s starts and monitors its activity, and restarts its process if necessary. In addition, it can download and execute executable files when the C&C server tells it to do so. In turn, the Android.Vo1d.3 module installs and starts the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and execute executable files. Furthermore, it monitors specified directories and installs the APK files it finds in them.

A study by malware analysts at Doctor Web has revealed that the Android.Vo1d backdoor infected approximately 1.3 million devices, while its geographic distribution included almost 200 countries. The largest number of infections were detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

Countries with the highest number of infected devices detected

One possible reason why the attackers Android.Vo1d specifically chosen TV boxes is that such devices often run on outdated Android versions, which have unpatched vulnerabilities and are no longer supported with updates. For example, the users who contacted us have models based on Android 7.1, despite the fact that for some of them the configuration indicates much newer versions, such as Android 10 and Android 12. Unfortunately, it is not uncommon for manufacturers of budget devices to use older OS versions and present them as more up-to-date to make them more attractive.

Furthermore, users themselves may mistakenly believe that TV boxes are better protected devices than smartphones. As a result, they are less likely to install antivirus software on these boxes and risk encountering malware when downloading third-party apps or installing unofficial firmware.

At this time, the source of the backdoor infection of the TV boxes is still unknown. A possible infection vector could be an attack by an intermediate malware that exploits vulnerabilities in the operating system to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.

Dr.Web anti-virus for Android successfully detects all known Android.Vo1d Trojan variants and, if root access is available, it repairs the infected devices.

Indicators of compromise

More details about Android.Vo1d.1

More details about Android.Vo1d.3

More details about Android.Vo1d.5