New version of Vo1d botnet on hundreds of thousands of devices with Android TV
The Vo1d botnet discovered in 2024 is still active. A new version has now been taken apart by security researchers.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
According to the latest analyses, the botnet dubbed "Vo1d" by security experts has continued to spread from the end of 2024 until now. Security researchers from Xlab observed a peak of around 1.6 million active devices running unofficial versions of Android TV that were integrated into Vo1d.
As the researchers write in a detailed blog post, a new variant of the malware was used. It was first discovered at the end of November 2024 in an executable file with the name "jddx". Based on technical similarities with the Vo1d observed in 2024, the analysts assigned the software to this malware family. From this, it can be concluded – even if Xlab does not explicitly say so – that the new strain of Vo1d also only attacks devices with an Android from the open source branch AOSP.
Only on unofficial AOSP devices
Following the discovery of the malware last year, Google also made it clear that it does not run on devices protected with Play Protect, such as televisions marketed with "Android TV". Rather, according to Google, Vo1d is said to be active exclusively on set-top boxes on which a modified version of AOSP has been recreated as a supposed Android TV. In contrast to official Android TV devices, such devices are available from numerous sellers for a fraction of the price of original devices. Xlab now also points out that the spread of Vo1d may have already begun in the supply chain.
According to the security researchers, the manufacturers may have worked together with malware gangs to install the malware on the boxes ex works. Another distribution channel, according to Xlab, could be software installed by users for dubious streaming services. According to Xlab, other malware can easily be obtained from these generally illegal services. In addition, another possible infection path for Vo1d remains unclear.
Videos by heise
Proxy, fake traffic and click fraud
During the period of observation of the new Vo1d, the researchers registered a peak of just under 1.6 million devices in January 2025. This figure then fell to around 800,000 active installations. Xlab attributes this to the fact that the operators of the botnet may have sold the hijacked devices to other gangs –, a common practice in the malware industry. According to Xlab, one of the services offered by the Vo1d operators themselves is a proxy network that is difficult to see through. Fraudulent advertising and fake traffic, again on advertising, are also part of the business model, as is click fraud.
Xlab's blog post lists numerous technical features of Vo1d, including better encryption than in the first versions and enhanced protection against detection. There is also an extensive online infrastructure with dozens of domains and command-and-control servers. It appears that Vo1d is backed by a professional cybercrime organization.
17,000 devices in Germany
In the first two weeks of February, Xlab also analyzed the regional distribution of Vo1d. In general, the active devices are predominantly found in the global south of the world, almost a quarter of them in Brazil. This is followed by South Africa with 13.6 percent and Indonesia with 10.54 percent. After that, there are only single-digit percentages, with devices in Germany accounting for 2.17%. Based on 800,000 active Vo1d devices in total, that would still be over 17,000 machines in Germany, which would be enough for DDoS attacks on medium-sized targets such as companies. The danger of botnets on supposedly unproblematic devices such as set-top boxes therefore appears to be increasing.
(nie)
