1.3 Million Android TV Boxes Have Been Breached; Researchers Still Don’t Know How

Researchers still don’t know what caused the newly discovered malware that affects nearly 1.3 million streaming devices running the open-source Android operating system in nearly 200 countries.

Dr. Web Security Company Reported on Thursday The malware, dubbed Android.Vo1d, was able to infect Android devices by placing malicious components in the system storage area, where they could be updated with additional malware at any time via command-and-control servers. Google representatives said the infected devices were running operating systems based on the Android Open Source Project, a version that Google oversees but is different from Android TV, which is a proprietary version restricted to licensed device makers.

Dozens of variables

Although Doctor Web has a comprehensive understanding of the Vo1d virus and the extraordinary reach it has achieved, the company’s researchers say they have yet to identify the attack vector that led to the infection.

“At this time, the source of the backdoor infection of the TV boxes remains unknown,” the post said on Thursday. “One possible vector of infection could be an attack by a middleman malware exploiting operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following devices are affected by Vo1d virus:

One possible reason for the infection is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. For example, versions 7.1, 10.1, and 12.1 were released in 2016, 2019, and 2022, respectively. Furthermore, Dr. Webb said it is not uncommon for budget device manufacturers to install older versions of operating systems on streaming boxes and make them look more attractive by presenting them as newer models.

Furthermore, while only authorized device makers are allowed to modify Google’s AndroidTV, any device maker is free to make changes to the open source versions. This leaves open the possibility that devices in the supply chain could be infected and already compromised by the time the end user purchases them.

It was discovered that these unbranded infected devices were not Play Protect Certified Android Devices“If a device is not Play Protect certified, Google will not have a record of the results of our security and compatibility tests,” Google said in a statement. “Android devices certified by Play Protect undergo extensive testing to ensure quality and user safety.”

The statement said that people can verify that the device is running Android TV by checking This link And follow the steps mentioned here.

Dr. Webb said there are dozens of Vo1d variants that use different code and plant malware in slightly different storage areas, but they all achieve the same end result of connecting to an attacker-controlled server and installing a final component that can install additional malware when instructed. VirusTotal notes that most Vo1d variants were first uploaded to a malware detection site several months ago.

The researchers wrote:

All of these cases had similar signs of infection, so we’ll describe them using one of the first requests we received as an example. The following objects were changed on the infected TV box:

• install-recovery.sh
• Demonso

In addition, 4 new files appeared in his file system:

• /system/xbin/vo1d
• /system/xbin/wd
• /system/bin/debuggerd
• /system/bin/debuggerd_real

the Voice1D and friendship Files are components. Android.Vo1d The Trojan Horse We Discovered.

The authors of the Trojan may have tried to disguise one of its components as the system program /system/bin/vold, giving it a similar name “vo1d” (replacing the lowercase “l” with the number “1”). The name of the malware comes from the name of this file. Moreover, this spelling is consistent with the English word “void”.

the install-recovery.sh The file is a script found on most Android devices. It runs when the operating system boots and contains data to automatically run the items specified in it. If any malware has root access and the ability to write to /system System directory, it can install itself on the infected machine by adding itself to this script (or by creating it from scratch if it is not present on the system). Android.Vo1d Autoplay has been recorded for friendship The component in this file.

the Demonso The file is present on many rooted Android devices. It is launched by the operating system when it starts up and is responsible for providing root privileges to the user. Android.Vo1d It is registered in this file as well, after setting up autoplay as well. friendship lonliness.

the debugger The file is a malicious program that is normally used to generate error reports. But when the TV was infected, this file was replaced with the script that runs friendship component.

the debuggerd_real The file in the case we are reviewing is a copy of the script that was used to replace the real file. debugger Doctor Web experts believe that the Trojan authors intended the original file to be debugger To be transferred to debuggerd_real To maintain its functionality. However, since the infection may have occurred twice, the Trojan had already transferred the replacement file (i.e. the script). As a result, the machine had two Trojan scripts and not one real file. debugger Program file.

Meanwhile, other users who contacted us had a slightly different list of files on their infected machines:

• Demonso (the Voice1D Analog file — Android.Vo1d.1);
• friendship (Android.Vo1d.3);
• debugger (Same text as above);
• debuggerd_real (Original file for debugger tool);
• install-recovery.sh (A script that loads the objects specified in it.)

Analysis of all the above files showed that in order to consolidate Android.Vo1d in The system, its authors used at least three different methods: modification install-recovery.sh and Demonso Files and Replace debugger They probably expected at least one of the targeted files to be present on the infected system, as tampering with just one of them would ensure the successful automatic launch of the Trojan during subsequent machine reboots.

Android.Vo1dThe main function of ‘s is hidden in Voice1D (Android.Vo1d.1) and friendship (Android.Vo1d.3) Ingredients that work in harmony. Android.Vo1d.1 The unit is responsible for Android.Vo1d.3It runs the program’s activity and controls its process, restarting its process if necessary. In addition, it can download and run executable files when prompted to do so from the C&C server. In turn, Android.Vo1d.3 The unit installs and operates. Android.Vo1d.5 A program that is encrypted and stored in its body. This module can also download and run executable files. Furthermore, it monitors specified directories and installs APK files it finds in them.

The spread of the infection is widely distributed geographically, with the largest numbers being detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria and Indonesia.

It’s not particularly easy for less experienced people to check whether a device is infected without installing malware scanners. Doctor Web says its Android antivirus will detect all Vo1d variants and sanitize devices that have root access. More experienced users can check for indicators of compromise here.