New malware on 1.3 million Android TV boxes – especially on low-cost devices
New malware has appeared on various Android TV boxes. Only certain devices are affected.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
A backdoor malware called "Vo1d" has apparently infected 1.3 million Android TV boxes that use open source versions of the operating system. It enables the authors to control the devices remotely and install other malicious elements. According to the IT security service provider Dr. Web, devices in 197 countries are affected.
According to the report by Russian IT security service provider Dr. Web, "Vo1d" is particularly widespread in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria and Indonesia. According to the report, the backdoor malware, whose exact origin is not yet known, installs its elements on the memory of the devices and thus enables its creators to remotely access the boxes, which can be used to turn the TV into an Android-enabled device.
Apparently only open source versions of Android affected
On demand, the devices can then, for example, secretly download further malicious software or be misused as part of a larger botnet. Google also commented on the case at the request of the Bleeping Computer portal and clarified that the affected devices are exclusively Android TV boxes with versions of the "Android Open Source Project" (AOSP) operating system.
AOSP has nothing to do with the proprietary operating system for Android televisions, Android TV, and is not Play Protect certified. In its statement, Google pointed out that Android TV may only be used by licensed manufacturers and that Google does not have access to security reports and compatibility tests for AOSP devices. Google provides instructions for users who want to check the Play Protect certification of their device.
Mainly low-cost devices affected
The fact that "Vo1d" apparently only attacks devices with AOSP software also leads to the conclusion that it mainly affects low-priced, low-quality devices. Manufacturers of such devices often save costs by installing AOSP on their devices. In addition, a newer Android version is then often specified than is ultimately supplied.
Outdated AOSP versions are also a possible vector that could have brought the malware to the devices, the IT specialists at Dr. Web suspect, although nothing is yet known about the exact origin of the malware. According to this, another malware may have served as a connecting element to obtain root rights on the target devices.
Known affected firmware versions that affected users have reported to Dr. Web are
- Android 7.1.2; R4 Build/NHG47K
- Android 12.1; TV BOX Build/NHG47K
- Android 10.1; KJ-SMART4KVIP Build/NHG47K
Videos by heise
Depending on the version, the malware first modified the elements install-recovery.sh and daemonsu or replaced the debuggerd operating system files, which are startup scripts often found in Android. In addition, several new elements appeared in the folder structure:
/system/xbin/vo1d/system/xbin/wd/system/bin/debuggerd/system/bin/debuggerd_real
Name "Vo1d" is intended to camouflage malware
Presumably, these also gave the software its name: "Vo1d" is a somewhat inconspicuous modification of the system program /system/bin/vold. The Vo1d malware itself is located in the files wd and vo1d. "Vo1d hides its main functionality in the components vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3), which work together," explains Dr. Web.
The Android.Vo1d.1 module is responsible for starting Android. Vo1d.3 controls its activity by restarting the process when needed. It can also download and execute executable files when requested to do so by the command and control server.
Attackers can use "Vo1d" to download and install APKs
The Android.Vo1d.3 module in turn installs and launches the background program Android.Vo1d.5, which can also download and execute files. It also monitors certain directories and installs APK files that it finds in them.
Android TV boxes are often permanently switched on and connected to the Internet - which also means that the "Vo1d" software can carry out the above-mentioned activities continuously.
Meanwhile, it has not been ruled out that "Vo1d" could have reached the Andoid TV boxes via the supply chain. The device manufacturers could have pre-installed the program. Affected users can try to fix the problem by installing the latest firmware version for their Android TV box.
However, the best advice to protect yourself from malware such as "Vo1d" is not to use a device with AOSP software in the first place, but rather a Play Protect-certified device with an Android TV operating system. This is because the inexpensive AOSP devices offer an all too good gateway for malware.
(nie)
