1.3 million Android-based TV boxes backdoored; researchers still don’t know how

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Dozens of variants

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.

“At the moment, the source of the TV boxes’ backdoor infection remains unknown,” Thursday’s post stated. “One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following device models infected by Vo1d are:

TV box model Declared firmware version
R4 Android 7.1.2; R4 Build/NHG47K
TV BOX Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP Android 10.1; KJ-SMART4KVIP Build/NHG47K

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What’s more, Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.

Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

“These off-brand devices discovered to be infected were not Play Protect certified Android devices,” Google said in a statement. “If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”

The statement said people can confirm a device runs Android TV OS by checking this link and following the steps listed here.

Doctor Web said that there are dozens of Vo1d variants that use different code and plant malware in slightly different storage areas, but that all achieve the same end result of connecting to an attacker-controlled server and installing a final component that can install additional malware when instructed. VirusTotal shows that most of the Vo1d variants were first uploaded to the malware identification site several months ago.

Researchers wrote:

All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:

  • install-recovery.sh
  • daemonsu

In addition, 4 new files emerged in its file system:

  • /system/xbin/vo1d
  • /system/xbin/wd
  • /system/bin/debuggerd
  • /system/bin/debuggerd_real

The vo1d and wd files are the components of the Android.Vo1d trojan that we discovered.

The trojan’s authors probably tried to disguise one if its components as the system program /system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter “l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover, this spelling is consonant with the English word “void”.

The install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). Android.Vo1d has registered the autostart for the wd component in this file.

The modified install-recovery.sh file
The modified install-recovery.sh file
Doctor Web

The daemonsu file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. Android.Vo1d registered itself in this file, too, having also set up autostart for the wd module.

The debuggerd file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the wd component.

The debuggerd_real file in the case we are reviewing is a copy of the script that was used to substitute the real debuggerd file. Doctor Web experts believe that the trojan’s authors intended the original debuggerd to be moved into debuggerd_real to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real debuggerd program file.

At the same time, other users who contacted us had a slightly different list of files on their infected devices:

  • daemonsu (the vo1d file analogue — Android.Vo1d.1);
  • wd (Android.Vo1d.3);
  • debuggerd (the same script as described above);
  • debuggerd_real (the original file of the debuggerd tool);
  • install-recovery.sh (a script that loads objects specified in it).

An analysis of all the aforementioned files showed that in order to anchor Android.Vo1d in the system, its authors used at least three different methods: modification of the install-recovery.sh and daemonsu files and substitution of the debuggerd program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto launch during subsequent device reboots.

Android.Vo1d’s main functionality is concealed in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) components, which operate in tandem. The Android.Vo1d.1 module is responsible for Android.Vo1d.3’s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&C server. In turn, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.

The geographic distribution of the infections is wide, with the biggest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

A world map listing the number of infections found in various countries.

It’s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise here.