Full Report
Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d. The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 countries. As of February 25, 2025, India has experienced a
Analysis Summary
# Threat Actor: Vo1d Botnet Operators / Vo1d
## Attribution & Identity
The threat actor or group operating the Vo1d botnet is currently attributed to financially motivated cybercrime, likely involving the rental of botnet infrastructure to other criminal actors. The malware was first documented by Doctor Web in September 2024. There are no specific named threat groups attributed to the core operation, though the infrastructure is potentially leased out.
## Activity Summary
Vo1d is a botnet malware specifically targeting **Android TV devices**. An improved variant has aggressively scaled its operations.
* The botnet reached a peak of 1,590,299 active IP addresses on January 19, 2025, spanning 226 countries.
* As of February 25, 2025, India showed a significant surge in infections (up to 18.17% infection rate).
* Historical targets mentioned include Brazil, South Africa, Indonesia, Argentina, and Thailand.
* The primary stated intent is to facilitate the creation of a proxy network and related activities such as advertisement click fraud.
* The infrastructure is suspected to operate on a "rental-return" cycle, being leased to other criminal actors for specific operations before returning to the main network.
## Tactics, Techniques & Procedures
- **Initial Compromise:** Suspected to involve supply chain attacks or the use of unofficial firmware versions with built-in root access for non-Play Protect-certified Android TV devices (likely using AOSP source code).
- **Execution & Worming:** The initial compromise involves a backdoor capable of downloading additional executables. The updated ELF malware (s63) downloads, decrypts, and executes a second-stage payload.
- **Persistence:** The malicious Android app (masquerading as Google Play Services) sets up persistence by listening for the `BOOT_COMPLETED` event to run automatically upon reboot.
- **Evasion/Stealth:** Enhanced stealth and anti-detection capabilities.
- **Communication Security:** Uses RSA encryption to secure network communication, preventing C2 takeover even if DGA domains are found.
- **C2 Architecture:** Employs a multi-layered C2 structure using a hardcoded **Redirector C2** to provide the bot with the real C2 server address, complemented by a large pool of DGA-generated domains.
- **Payload Delivery:** Each payload uses a unique Downloader secured with XXTEA encryption and RSA-protected keys.
- **Masquerading:** Malicious Android app uses the package name `com.google.android.gms.stable` to mimic legitimate Google Play Services (`com.google.android.gms`).
- **Post-Infection Module Deployment:** Deploys a modular Android malware named **Mzmess**, which includes specialized plugins for proxy services and ad promotion.
## Targeting
- **Sectors:** Not explicitly defined by sector, but targets users of Android TV devices, particularly "off-brand" models.
- **Geography:** Active across 226 countries, with recent focus areas including Brazil, South Africa, Indonesia, Argentina, Thailand, and a major surge in India.
- **Victims:** Owners/Users of infected Android TV boxes/devices.
## Tools & Infrastructure
- **Malware Families Used:** Vo1d (core botnet), Mzmess (downstream modular malware).
- **Specific Components:** ELF malware (s63), Downloader (XXTEA/RSA encrypted), Shell script (install.sh), CV component, Vo1d module, Mzmess plugins (Popa, Jaguar, Lxhwdg, Spirit).
- **Infrastructure:** Utilizes a Redirector C2 linking to real C2 servers via a large pool of DGA-generated domains.
- **Defanged URLs/IPs:**
- C2 domains generated via DGA (specific domains not listed).
- IP addresses indicating botnet scale: up to 1,590,299 daily active IPs.
## Implications
The Vo1d botnet represents a significant, commercially viable, and highly resilient threat to the Android IoT ecosystem, specifically targeting low-security Android TV devices. Its massive scale and sophisticated encryption make analysis and mitigation difficult. The deployment of Mzmess further extends its capabilities for profit generation (ad fraud, proxy services). The potential for future pivoting to high-impact attacks (like large-scale DDoS, unauthorized content broadcasting) creates a substantial long-term security risk.
## Mitigations
- **Device Security:** Users should opt only for Android TV devices certified by Google Play Protect. Avoid "off-brand" or uncertified devices that may rely on insecure AOSP codebases.
- **Supply Chain Vigilance:** Organizations or users sourcing hardware should vet firmware providers to prevent supply chain compromise.
- **Network Monitoring:** Monitor outbound traffic for unusual communication patterns indicative of DGA usage or redirection C2 activity associated with known Vo1d indicators.
- **Persistence Detection:** Implement enhanced monitoring on Android devices for unexpected `BOOT_COMPLETED` event listeners or unauthorized self-launching components.
- **Code Analysis:** Organizations dealing with Android firmware should utilize tools capable of decrypting RSA-protected and XXTEA-encrypted payloads common in this malware family.