ngCERT SECURITY ADVISORY ON INCREASED ANDROID.VO1D MALWARE INFECTIONS

Advisory ID:   ngCERT-2025-010007

SUMMARY

ngCERT is aware of an increase in Android.Vo1d malware infections within the Nigerian cyberspace. Android.vo1d otherwise known as Void is a recent android trojan campaign reported to have infected over 1.3 million Android TV boxes worldwide, including Nigeria. The malware is identified as a sophisticated backdoor capable of secretly downloading and installing malicious applications on infected devices, particularly those running outdated Android operating systems. Android.vo1d poses a major risk to Android TV box users, with implications on system compromise and takeover, as well as data exfiltration among other negative impacts. Consequently, ngCERT strongly advises individuals and organizations to take immediate steps to safeguard their systems and data from this emerging threat.

Probability:    High

Damage:        Critical

Platform(s):   Android TV Boxes

DESCRIPTION

Android.Vo1d is a backdoor trojan that installs itself deep in the device’s system files and operates covertly by employing advanced techniques to evade detection while establishing persistence. It achieves this by infiltrating the system storage and modifying critical files like install-recovery.sh and daemonsu files. Thereafter, it creates news files, /system/xbin/wd, /system/xbin/vo1d, /system/bin/debuggerd_real and /system/bin/debuggerd. Attackers cleverly disguises the malware by altering the file name “vold,” a system program, to “vo1d,” substituting the lowercase “l” with the number “1”. This trick allows the malware to evade detection while establishing a foothold in infected systems. Additionally, the backdoor’s components, Android.Vo1d.1, Android.Vo1d.3, and Android.Vo1d.5 work concurrently to ensure continued malicious activity. Particularly, Vo1d.1 manages activities and downloads executables files from the C&C server, Vo1d.3 installs and launches the encrypted Android.Vo1d.5 daemon, while monitoring directories and installing APK files, with Vo1d.5 providing additional functionality. Furthermore, TV boxes running older Android versions are particularly vulnerable, as they often lack critical security updates. Some of these devices include the R4 (Android 7.1.2) and KJ-SMART4KVIP (Android 10.1).

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. System compromise.
2. Unauthorized access to sensitive data.
3. Data exfiltration.
4. Reputational damage.
5. Service Disruption leading to potential Denial of Service (DoS).

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Regularly update of TV box firmware from official sources.
2. Installation of antivirus software to detect potential infections.
3. Avoid downloading apps or firmware from unofficial sources.
4. Consider replacing TV boxes running on outdated Android versions with newer and more secure models.

HYPERLINK

• https://cybersecuritynews.com/android-tv-box-android-vo1d-malware/
• https://securityonline.info/massive-android-tv-box-infection-over-1-3-million-devices-compromised-by-android-vo1d/
• https://thehackernews.com/2024/09/beware-new-vo1d-malware-infects-13.html
• https://www.androidheadlines.com/2024/09/these-android-tv-boxes-are-infected-by-vo1d-malware.html