Brazil, South Africa, Indonesia, Argentina and Thailand have become the target of a campaign that has infected Android TV devices with a double double malware VO1D.
It was found that the improved VO1D variant includes 800,000 daily active IP addresses, the botnet evolving a peak of 1,590 299 on January 19, 2025, covering 226 countries. As of February 25, 2025, India experienced a significant increase in the infection rate, from less than 1% (3,901) to 18.17% (217,771).
“VO1D has evolved to improve its abilities of stealth, resilience and anti-detection”, Qianxin XLAB said. “RSA encryption secures network communication, preventing [command-and-control] takeover even if [the Domain Generation Algorithm] Domains are recorded by researchers. Each payload uses a unique downloader, with XXTE encryption and keys protected by RSA, which makes the analysis more difficult. “”
The malware was documented for the first time by Doctor Web in September 2024 as affecting the television boxes based on Android by means of a stolen door capable of downloading additional executables according to the instructions issued by the control and control server (C2).
It is not known exactly how compromises take place, although it is suspected of involving a kind of supply chain attack or using unofficial versions of the firmware with integrated root access.
Google told The Hacker News at the time that infected “out -of -brand” television models were not protective Android devices and that they probably used the source code of the Open Source (AOSP).
The latest iteration of the malware campaign shows that it works on a large scale in order to facilitate the creation of a proxy network and activities such as advertising click.
XLAB has theorized that the rapid fluctuation in the activity of the botnet is probably due to the rental of its infrastructure in regions specific to other criminal players in the context of what he said is a “rental return” cycle where the bots are rented for a period of time defined to allow illegal operations, after which they join the largest VO1D network.
An analysis of the new version of ELF malware (S63) has revealed that it is designed to download, decrypt and execute a second -stage payload which is responsible for the establishment of communications with a C2 server.
The compressed decrypted package (TS01) contains four files: Install.sh, CV, VO1D and X.APK. It begins with the Shell script launching the CV component, which, in turn, launches both VO1D and the Android application after installation.
The main function of the VO1D module is to decipher and load an integrated payload, a stolen door capable of establishing communication with a C2 server and downloading and executing a native library.
“Its main functionality remains unchanged,” said Xlab. “However, he has undergone important updates of his network communication mechanisms, in particular introducing a C2 redirector. The redirector C2 is used to provide the BOT the real address of the C2 server, by taking advantage of a coded red coded redirector and a large pool of domains generated by a DGA to build an extensive network architecture.”
For its part, the malicious Android application bears the name of the pack Google Play services (“com.google.android.gms”) to fly under the radar. He establishes a persistence on the host by listening to the event “Boot_Completed” so that he executes automatically after each restart.
It is also designed to launch two other components that have a functionality similar to that of the VO1D module. The attack chain opens the track to the deployment of modular Android malware named Mzmess which incorporates for four different plugins –
- Popa (“com.app.mz.popan”) and Jaguar (“com.app.mz.jaguarn”) for proxy services
- LXHWDG (“com.app.mz.lxhwdgn”), the aim of which remains unknown due to the release of its Offline C2 server
- Spirit (“com.app.mz.spiritn”) for promoting ads and traffic inflation
The absence of infrastructure overlaps between Mzmess and VO1D raised the possibility that the threat behind the malicious activity is to rent the service to other groups.
“Currently, VO1D is used for profit, but its total control over the devices allows attackers to rotate large -scale cyber attacks or other criminal activities [such as distributed denial-of-service (DDoS) attacks]”Said Xlab.” Pirates could exploit them to distribute unauthorized content. “”
