New Vo1d Malware Infects 1.3 Million Android TV Containers Worldwide
Practically 1.3 million Android-based TV containers working outdated variations of the working system and belonging to customers spanning 197 nations have been contaminated by a brand new malware dubbed Vo1d (aka Void).
“It’s a backdoor that places its parts within the system storage space and, when commanded by attackers, is able to secretly downloading and putting in third-party software program,” Russian antivirus vendor Physician Net said in a report revealed immediately.
A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.
It is at present not identified what the supply of the an infection is, though it is suspected that it might have both concerned an occasion of prior compromise that enables for gaining root privileges or using unofficial firmware variations with built-in root entry.
The next TV fashions have been focused as a part of the marketing campaign –
- KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Construct/NHG47K)
- R4 (Android 7.1.2; R4 Construct/NHG47K)
- TV BOX (Android 12.1; TV BOX Construct/NHG47K)
The assault entails the substitution of the “/system/bin/debuggerd” daemon file (with the unique file moved to a backup file named “debuggerd_real”), in addition to the introduction of two new information – “/system/xbin/vo1d” and “/system/xbin/wd” – which include the malicious code and function concurrently.
“Earlier than Android 8.0, crashes have been dealt with by the debuggerd and debuggerd64 daemons,” Google notes in its Android documentation. “In Android 8.0 and better, crash_dump32 and crash_dump64 are spawned as wanted.”
Two completely different information shipped as a part of the Android working system – install-recovery.sh and daemonsu – have been modified as a part of the marketing campaign to set off the execution of the malware by beginning the “wd” module.
“The trojan’s authors in all probability tried to disguise one if its parts because the system program ‘/system/bin/vold,’ having referred to as it by the similar-looking identify ‘vo1d’ (substituting the lowercase letter ‘l’ with the quantity ‘1’),” Physician Net stated.
The “vo1d” payload, in flip, begins “wd” and ensures it is persistently working, whereas additionally downloading and working executables when instructed by a command-and-control (C2) server. Moreover, it retains tabs on specified directories and installs the APK information that it finds in them.
“Sadly, it’s not unusual for price range gadget producers to make the most of older OS variations and go them off as extra up-to-date ones to make them extra enticing,” the corporate stated.