Doctor Web, a cybersecurity company, reported the spread of Android.Vo1d malware in Android TV boxes used by a group leveraging code from the Android Open Source Project (AOSP) totaling approximately 1.3 million devices. These boxes do not bear the Android TV or Google TV branding from Google.
The observed malware dissemination occurred in unbranded Android TV boxes across 3 models running Android 7.1, Android 10.1, and Android 12.1 operating systems. The affected devices are distributed in multiple developing countries, including Brazil (28% of affected boxes), Morocco (7.0%), Pakistan (5.1%), with Southeast Asia seeing Malaysia (3%) and Indonesia (2%) impacted. The case in Thailand is relatively minimal, with data unavailable.
Symptoms found in devices infected by this malware include the creation of 4 new files:
/system/xbin/vo1d
/system/xbin/wd
/system/bin/debuggerd
/system/bin/debuggerd_real
Additionally, system files were altered, specifically install-recovery.sh and daemonsu. Doctor Web noted that the exact vulnerability leading to this malware propagation remains unclear but is likely due to the lack of updates in these TV boxes, leaving numerous security vulnerabilities.
Ars Technica approached Google regarding this issue, to which Google responded that these devices are not certified by Google Play Protect, therefore lacking security data insights. Users can verify this by navigating to Play Store, selecting the profile icon, and choosing Settings > About.
TLDR: Doctor Web identified the Android.Vo1d malware in unbranded Android TV boxes, attributing its spread to unpatched devices with numerous security vulnerabilities. Google Play Protect certification is recommended for verifying device security.
Leave a Comment