{ "id": "4afd5c0a-80c6-44ee-9c62-6511d6b3170e", "created_at": "2026-04-06T00:12:06.416782Z", "updated_at": "2026-04-10T13:12:59.541925Z", "deleted_at": null, "sha1_hash": "4199dc64f8b2969e358b6522b281bde98fcb04cb", "title": "Void captures over a million Android TV boxes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 147155, "plain_text": "Void captures over a million Android TV boxes\r\nPublished: 2024-09-12 · Archived: 2026-04-05 15:16:55 UTC\r\n12.09.2024\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nSeptember 12, 2024\r\nDoctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware,\r\ndubbed Android.Vo1d, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a\r\nbackdoor that puts its components in the system storage area and, when commanded by attackers, is\r\ncapable of secretly downloading and installing third-party software.\r\nIn August 2024, Doctor Web was contacted by several users whose Dr.Web antivirus had detected changes in their\r\ndevice’s system file area. The problem occurred with these models:\r\nTV box model Declared firmware version\r\nR4 Android 7.1.2; R4 Build/NHG47K\r\nTV BOX Android 12.1; TV BOX Build/NHG47K\r\nKJ-SMART4KVIP Android 10.1; KJ-SMART4KVIP Build/NHG47K\r\nAll these cases involved similar signs of infection, so we will describe them using one of the first requests we\r\nreceived as an example. The following objects were changed on the affected TV box:\r\ninstall-recovery.sh\r\ndaemonsu\r\nIn addition, 4 new files emerged in its file system:\r\n/system/xbin/vo1d\r\n/system/xbin/wd\r\n/system/bin/debuggerd\r\n/system/bin/debuggerd_real\r\nThe vo1d and wd files are the components of the Android.Vo1d trojan that we discovered.\r\nThe trojan’s authors probably tried to disguise one if its components as the system program\r\n/system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter\r\n“l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover,\r\nthis spelling is consonant with the English word “void”.\r\nhttps://news.drweb.com/show/?i=14900\r\nPage 1 of 4\n\nThe install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is\r\nlaunched and contains data for autorunning the elements specified in it. If any malware has root access and the\r\nability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this\r\nscript (or by creating it from scratch if it is not present in the system). Android.Vo1d has registered the autostart\r\nfor the wd component in this file.\r\nThe modified install-recovery.sh file\r\nThe daemonsu file is present on many Android devices with root access. It is launched by the operating system\r\nwhen it starts and is responsible for providing root privileges to the user. Android.Vo1d registered itself in this\r\nfile, too, having also set up autostart for the wd module.\r\nThe debuggerd file is a daemon that is typically used to create reports on occurred errors. But when the TV box\r\nwas infected, this file was replaced by the script that launches the wd component.\r\nThe debuggerd_real file in the case we are reviewing is a copy of the script that was used to substitute the real\r\ndebuggerd file. Doctor Web experts believe that the trojan’s authors intended the original debuggerd to be moved\r\ninto debuggerd_real to maintain its functionality. However, because the infection probably occurred twice, the\r\ntrojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan\r\nand not a single real debuggerd program file.\r\nAt the same time, other users who contacted us had a slightly different list of files on their infected devices:\r\ndaemonsu (the vo1d file analogue — Android.Vo1d.1);\r\nwd (Android.Vo1d.3);\r\ndebuggerd (the same script as described above);\r\nhttps://news.drweb.com/show/?i=14900\r\nPage 2 of 4\n\ndebuggerd_real (the original file of the debuggerd tool);\r\ninstall-recovery.sh (a script that loads objects specified in it).\r\nAn analysis of all the aforementioned files showed that in order to anchor Android.Vo1d in the system, its\r\nauthors used at least three different methods: modification of the install-recovery.sh and daemonsu files and\r\nsubstitution of the debuggerd program. They probably expected that at least one of the target files would be\r\npresent in the infected system, since manipulating even one of them would ensure the trojan’s successful auto\r\nlaunch during subsequent device reboots.\r\nAndroid.Vo1d’s main functionality is concealed in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3)\r\ncomponents, which operate in tandem. The Android.Vo1d.1 module is responsible for Android.Vo1d.3’s launch\r\nand controls its activity, restarting its process if necessary. In addition, it can download and run executables when\r\ncommanded to do so by the C\u0026C server. In turn, the Android.Vo1d.3 module installs and launches the\r\nAndroid.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run\r\nexecutables. Moreover, it monitors specified directories and installs the APK files that it finds in them.\r\nA study conducted by Doctor Web malware analysts showed that the Android.Vo1d backdoor has infected around\r\n1.3 million devices, while its geographical distribution included almost 200 countries. The largest number of\r\ninfections were detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia,\r\nMalaysia, Algeria, and Indonesia.\r\nCountries with the highest number of infected devices detected\r\nOne possible reason why the attackers distributing Android.Vo1d specifically chose TV boxes is that such\r\ndevices often run on outdated Android versions, which have unpatched vulnerabilities and are no longer supported\r\nwith updates. For example, the users who contacted us have models that are based on Android 7.1, despite the fact\r\nthat for some of them the configuration indicates much newer versions, such as Android 10 and Android 12.\r\nhttps://news.drweb.com/show/?i=14900\r\nPage 3 of 4\n\nUnfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off\r\nas more up-to-date ones to make them more attractive.\r\nIn addition, users themselves may mistakenly perceive TV boxes to be better protected devices, compared to\r\nsmartphones. As a result, they may install anti-virus software on these less often and risk encountering malware\r\nwhen downloading third-party apps or installing unofficial firmware.\r\nAt the moment, the source of the TV boxes’ backdoor infection remains unknown. One possible infection vector\r\ncould be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root\r\nprivileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.\r\nDr.Web anti-virus for Android successfully detects all known Android.Vo1d trojan variants, and, if root access is\r\navailable, cures the infected devices.\r\nIndicators of compromise\r\nMore details on Android.Vo1d.1\r\nMore details on Android.Vo1d.3\r\nMore details on Android.Vo1d.5\r\nSource: https://news.drweb.com/show/?i=14900\r\nhttps://news.drweb.com/show/?i=14900\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://news.drweb.com/show/?i=14900" ], "report_names": [ "?i=14900" ], "threat_actors": [], "ts_created_at": 1775434326, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4199dc64f8b2969e358b6522b281bde98fcb04cb.pdf", "text": "https://archive.orkl.eu/4199dc64f8b2969e358b6522b281bde98fcb04cb.txt", "img": "https://archive.orkl.eu/4199dc64f8b2969e358b6522b281bde98fcb04cb.jpg" } }