1.3 million Android TV boxes have backdoor; researchers still don't know how

Researchers still don't know what caused a recently discovered malware infection that affects nearly 1.3 million streaming devices running an open-source version of Android in almost 200 countries.

Security firm Doctor Web reported Thursday that malware dubbed Android.Vo1d had created a backdoor into Android-based boxes by placing malicious components in their system repositories, where they could be updated with additional malware at any time by command-and-control servers. Google officials said the infected devices were running operating systems based on the Android Open Source Project, a version maintained by Google but distinct from Android TV, a proprietary version restricted to licensed device manufacturers.

Dozens of variations

While Doctor Web has deep knowledge of Vo1d and the extraordinary reach it has achieved, the company's researchers say they have yet to determine what attack vector led to the infections.

“At this time, the source of the backdoor infection of the TV boxes is still unknown,” the Thursday report said. “A possible infection vector could be an attack by an intermediate malware that exploits vulnerabilities in the operating system to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following device models are infected with Vo1d:

TV box model	Indicated firmware version
R4	Android 7.1.2; R4 build/NHG47K
TV BOX	Android 12.1; TV BOX build/NHG47K
KJ-SMART4KVIP	Android 10.1; KJ-SMART4KVIP build/NHG47K

One possible source of the infections is that the devices are running outdated versions that are vulnerable to exploits that can remotely execute malicious code. For example, versions 7.1, 10.1, and 12.1 were released in 2016, 2019, and 2022, respectively. Additionally, Doctor Web said that it is not uncommon for budget device manufacturers to install older OS versions in streaming boxes and make them seem more attractive by presenting them as more modern models.

Furthermore, while only licensed device makers are allowed to modify Google’s AndroidTV, any device maker is free to make changes to open-source versions. That leaves open the possibility that devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

“These non-brand devices that were found to be infected were not Play Protect-certified Android devices,” Google said in a statement. “If a device is not Play Protect-certified, Google does not have data on the results of security and compatibility testing. Play Protect-certified Android devices undergo extensive testing to ensure quality and user safety.”

The statement said people can confirm that a device is running Android TV OS by checking this link and following the steps mentioned there.

Doctor Web said there are dozens of Vo1d variants that use different code and plant malware in slightly different repositories, but all achieve the same end result: connect to an attacker-controlled server and install a final component that can install additional malware when instructed. VirusTotal shows that most of the Vo1d variants were first uploaded to the malware identification site several months ago.

Researchers wrote:

All these cases showed similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:

• installation-restore.sh
• demons

In addition, 4 new files have appeared in the file system:

• /system/xbin/vo1d
• /system/xbin/wd
• /system/bin/debuggerd
• /system/bin/debuggerd_real

The vo1d And wd files are the components of the Android.Vo1d Trojan horse we discovered.

The creators of the Trojan probably tried to disguise one of its components as the system program /system/bin/vold, by giving it a similar name “vo1d” (by replacing the lowercase letter “l” with the number “1”). The name of the malicious program comes from the name of this file. Moreover, this spelling is consistent with the English word “void”.

The installation-restore.sh file is a script present on most Android devices. It is executed when the operating system is started and contains data for automatic execution of the elements specified in it. If malware has root access and the ability to access the /system system directory, it can embed itself into the infected device by adding itself to this script (or by recreating the script from scratch if it is not present on the system). Android.Vo1d has registered the autostart for the wd component in this file.

The demons file is present on many rooted Android devices. It is launched by the operating system when it boots and is responsible for granting root privileges to the user. Android.Vo1d also registered itself in this file, after it also set autostart for the wd modulate.

The debugged file is a daemon that is usually used to report on errors that have occurred. But when the tv box was infected, this file was replaced by the script that wd element.

The debuggerd_real file in the case we are looking at is a copy of the script that was used to create the real debugged file. Experts from Doctor Web believe that the creators of the trojan copied the original debugged be moved to debuggerd_real to maintain functionality. However, since the infection was likely to occur twice, the Trojan moved the already replaced file (i.e., the script). As a result, the device had two Trojan scripts and no real ones debugged program file.

At the same time, other users who contacted us had a slightly different list of files on their infected devices:

• demons (the vo1d file analog — Android.Vo1d.1);
• wd (Android.Vo1d.3);
• debugged (same script as described above);
• debuggerd_real (the original file of the debugged tool);
• installation-restore.sh (a script that loads the objects specified in it).

An analysis of all the above files showed that in order to Android.Vo1d in the system, its authors used at least three different methods: modification of the installation-restore.sh And demons files and replacement of the debugged program. They probably expected at least one of the target files to be present in the infected system, since manipulating even one of them would ensure successful automatic launch of the Trojan during subsequent device reboots.

Android.Vo1dThe main functionality is hidden in its vo1d (Android.Vo1d.1) And wd (Android.Vo1d.3) components that work together. The Android.Vo1d.1 module is responsible for Android.Vo1d.3's starts and monitors its activity, and restarts its process if necessary. In addition, it can download and execute executable files when the C&C server tells it to do so. In turn, the Android.Vo1d.3 module installs and starts the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and execute executable files. Furthermore, it monitors specified directories and installs the APK files it finds in them.

The geographic distribution of infections is wide, with the largest numbers detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria and Indonesia.

It’s not so easy for less experienced people to check if a device is infected, except by installing malware scanners. Doctor Web said that its antivirus software for Android detects all Vo1d variants and disinfects devices that provide root access. More experienced users can check indicators of intrusion here.