Dr.Web Discovers Android.Vo1d Virus Targeting Android Set-Top Boxes, Over 1.3 Million Devices Infected

The cybersecurity firm Dr.Web mentioned in its latest blog post about a malicious software targeting Android set-top boxes that is widely spreading. This malware, named Android.Vo1d, has infected over 1.3 million devices across 197 countries and regions.

The incident began in August 2024, when Dr.Web received multiple reports from users indicating that their security software detected changes in the device's system file partition. This issue was primarily found in the following models and firmware versions:

• Device Name: R4 System Version: Android 7.1.2 Build Version: R4 Build/NHG47K
• Device Name: TV BOX System Version: Android 12.1 Build Version: TV BOX Build/NHG47K
• Device Name: KJ-SMART4KVIP System Version: Android 10.1 Build Version: SJ-SMART4KVIP Build/NHG47K

Upon analysis, Dr.Web discovered four new files in the system partition of all affected devices:

• /system/xbin/vo1d
• /system/xbin/wd
• /system/bin/debuggerd
• /system/bin/debuggerd_real

The vo1d and wd files are components of the Trojan, which is why Dr.Web named the virus Android.Vo1d. The hacker's choice of name is deceptive, intentionally changing the "i" in void to "1" to confuse some users into thinking these are regular files.

Hackers use the install-recovery.sh script to run the virus with root privileges at system startup, allowing them to perform arbitrary actions on these Android set-top boxes.

The attack does not seem to target any specific region, with the highest number of infections in:

• Brazil
• Morocco
• Pakistan
• Saudi Arabia
• Russia
• Argentina
• Ecuador
• Tunisia
• Malaysia
• Algeria
• Indonesia

It's still unclear how the virus is spreading so widely, but most of these Android set-top boxes run on outdated versions of Android that do not receive security updates, making existing vulnerabilities exploitable.

Dr.Web for Android has now added Android.Vo1d to its definition updates. If Dr.Web has root access, it can remove the virus; however, without root permission, complete removal might not be possible.