Security Affairs
Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Enhanced capabilities sustain the rapid growth of Vo1d botnet

Operators behind the Vo1d botnet have enhanced its capabilities, enabling rapid growth in recent months. In September 2024, Doctor Web researchers uncovered a malware, tracked as Vo1d, that infected nearly 1.3 million Android-based TV boxes belonging to users in 197 countries. The malicious code acts as a backdoor allowing attackers to download and install third-party software […]

Vo1d Android malware

Operators behind the Vo1d botnet have enhanced its capabilities, enabling rapid growth in recent months.

In September 2024, Doctor Web researchers uncovered a malware, tracked as Vo1d, that infected nearly 1.3 million Android-based TV boxes belonging to users in 197 countries. The malicious code acts as a backdoor allowing attackers to download and install third-party software secretly.

In August 2024, several users reported that Dr.Web antivirus detected changes in their TV box system files. The problems were observed in several models, including the R4 (Android 7.1.2), TV BOX (Android 12.1), and KJ-SMART4KVIP (Android 10.1). The indicators of compromise were similar in all cases, with modifications to system files like install-recovery.sh and daemonsu. Additionally, four new files appeared: vo1dwddebuggerd, and debuggerd_real. The vo1d and wd files were identified as components of Vo1d Android trojan.

The experts reported that the geographical distribution of the infections included almost 200 countries. The largest number of infections was reported in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

Doctor Web observed that attackers target TV boxes because these devices often run outdated Android versions with unpatched vulnerabilities and lack updates. Many users reported devices labeled as running Android 10 or 12, but they were actually using Android 7.1. Unfortunately, manufacturers often sell older OS versions as newer ones. Users may also mistakenly believe TV boxes are more secure than smartphones and are less likely to install antivirus software, increasing their risk when downloading third-party apps or unofficial firmware.

Researchers at the Chinese cybersecurity firm QiAnXin (QAX) recently discovered 89 new malware samples. The botnet has ~800,000 daily active IPs, peaking at 1,590,299 on January 14, 2025. 

Vo1d botnet has enhanced its stealth and resilience with RSA encryption to secure communication, preventing C2 takeover. Its infrastructure now includes hardcoded and DGA-based Redirector C2s for flexibility. Payload delivery is optimized with unique Downloaders using XXTEA encryption and RSA-protected keys, making analysis and detection significantly harder.

QiAnXin speculates that Vo1d’s main goal is building a proxy network, similar to 911 S5, which made $99M in illicit profits. In May 2024, an international law enforcement operation led by the U.S. DoJ disrupted the 911 S5 botnet and led to the arrest of its administrator, opening new opportunities for botnets providing anonymization services like Vo1d.

24,97% of Vo1d-infected devices are in Brazil, followed by South Africa (13%), Indonesia (10%), Argentina (5%), Thailand (3%), and China (3%), spanning 200+ regions.

“Vo1d’s massive scale and continuous evolution pose a severe, long-term threat to global cybersecurity. Its ability to operate undetected for over three months highlights its stealth. By sharing our findings, we aim to contribute to the fight against cybercrime and raise awareness of this formidable threat.” concludes the report that includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)