Advisory ID:   ngCERT-2025-080002

SUMMARY

ngCERT is aware of an increase in Android.Vo1d malware infections within the Nigerian cyberspace. Android.vo1d, otherwise known as Void, is a recent Android Trojan campaign reported to have infected over 1.3 million Android TV boxes worldwide, including in Nigeria. The malware is identified as a sophisticated backdoor capable of secretly downloading and installing malicious applications on infected devices, particularly those running outdated Android operating systems. Android.vo1d poses a major risk to Android TV box users, with implications on system compromise and takeover, as well as data exfiltration, among other negative impacts. Consequently, ngCERT strongly advises individuals and organisations to take immediate steps to safeguard their systems and data from this emerging threat.  

Probability:    High

Damage:        Critical

Platform(s): Android 7.1.2, Android 10.1, Android 12.1

DESCRIPTION

Android.Vo1d is a backdoor trojan that installs itself deep in the device’s system files and operates covertly by employing advanced techniques to evade detection while establishing persistence. It achieves this by infiltrating the system storage and modifying critical files like install-recovery.sh and daemonsu files. Thereafter, it creates news files, /system/bin/debuggerd,  /system/bin/debuggerd_real, /system/xbin/vo1d,and /system/xbin/wd. Attackers cleverly disguises the malware by altering the file name “vold,” a system program, to “vo1d,” substituting the lowercase “l” with the number “1”. This trick allows the malware to evade detection while establishing a foothold in infected systems. Additionally, the backdoor’s components, Android.Vo1d.1, Android.Vo1d.3, and Android.Vo1d.5 work concurrently to ensure continued malicious activity. Particularly, Vo1d.1 manages activities and downloads executables files from the C&C server, Vo1d.3 installs and launches the encrypted Android.Vo1d.5 daemon, while monitoring directories and installing APK files, with Vo1d.5 providing additional functionality. Furthermore, TV boxes running older Android versions are particularly vulnerable, as they often lack critical security updates. Some of these devices include the R4 (Android 7.1.2) and KJ-SMART4KVIP (Android 10.1).

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Data exfiltration.
4. Reputational damage.
5. Service Disruption leading to potential Denial of Service (DoS). 

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Regularly update of TV box firmware from official sources.
2. Installation of antivirus software to detect potential infections.
3. Avoid downloading apps or firmware from unofficial sources.
4. Consider replacing TV boxes running on outdated Android versions with newer and more secure models. 

HYPERLINK

• https://cybersecuritynews.com/android-tv-box-android-vo1d-malware/
• https://securityonline.info/massive-android-tv-box-infection-over-1-3-million-devices-compromised-by-android-vo1d/
• https://thehackernews.com/2024/09/beware-new-vo1d-malware-infects-13.html
• https://www.androidheadlines.com/2024/09/these-android-tv-boxes-are-infected-by-vo1d-malware.html

Advisory ID:   ngCERT-2025-080001

SUMMARY

ngCERT has identified malware tagged android.badbox2. The malware, also known as BadBox 2.0, is a large-scale Android malware supply chain threat which involves the pre-infection of consumer devices. The malware is embedded into the system firmware before the device reaches consumers, making it resistant to removal. Low-cost Android devices using the Android Open Source Project (AOSP), such as Android tablets, connected TV (CTV) devices, digital photo frames, phones etc., are often targeted.  This malware enables activities like remote code execution, account abuse, and ad fraud. Organisations and individuals are advised to stay vigilant and prioritise device hygiene to mitigate Android.BadBox2 risks.  

Probability:    High

Damage:        Critical

Platform(s): Android TV Boxes, Smart Projectors, Android Tablets, Digital Signage Players and Uncertified Smartphones

DESCRIPTION

Android.BadBox2 is a sophisticated malware campaign that targets uncertified Android devices, primarily those using the AOSP. The infection begins at the supply chain level, with malicious code embedded directly into system files such as ‘libanl.so’, before the device even reaches the user. In other cases, the malware spreads through “evil twin” apps, counterfeit versions of legitimate applications that are sideloaded from third-party sources. Once installed, the malware connects to remote Command and Control (C2) servers, downloads additional payloads, and enables remote access via a component called BB2DOOR. This allows attackers to control the device, update malware, or install new modules silently. Once active, the malware enlists the device into a global botnet used for fraudulent activity. Infected devices are transformed into residential proxy nodes, allowing attackers to route malicious traffic through victims’ home networks. The malware also engages in ad and click fraud by launching hidden browser sessions that load ads in the background, consuming data and battery without the user’s knowledge. With deep system integration, Android.BadBox2 can disable security features, avoid detection, and persist even through factory resets, thereby posing a serious threat to user privacy, network integrity, and global digital infrastructure.

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Data exfiltration.
4. Reputational damage.
5. Service Disruption leading to potential Denial of Service (DoS).
6. Legal Implications. 

SOLUTION/MITIGATION

The following recommendations should be observed to mitigate risks:

1. Monitor network activity across all connected devices.
2. Update software, firmware, and operating systems regularly.
3. Avoid using unofficial app stores or sideloaded software.
4. Be wary of too-good-to-be-true streaming solutions.

HYPERLINK

• https://www.cepro.com/news/fbi-warns-of-badbox-2-0-botnet-threat-to-connected-homes-what-integrators-need-to-know/619127/
• https://www.ncsc.gov.ie/pdfs/AndroidBadbox2-0.pdf
• https://www.threatlocker.com/blog/google-lawsuit-targets-operators-of-badbox-2-0-in-major-botnet-disruption

Advisory ID: NCC-CSIRT-2025-013

Summary: 

Cybersecurity researchers have uncovered a large-scale phishing-as-a-service (PhaaS) infrastructure on Google Cloud and Cloudflare, which has been operational for years. This infrastructure utilizes fake websites that mimic real company login pages to steal passwords and bypass security codes. The attackers stay hidden by using expired domains and tricks that fool Google into seeing harmless content. 

Damage/Probability: High/Critical

Product(s): 

• Google Cloud Platform (GCP)
• Cloudflare Services
• Expired or Abandoned Domains

Version(s): 

• Google Cloud Platform (GCP): Not version-specific (cloud services, not software releases).
• Cloudflare Services: Not version-specific (service-level abuse).
• Expired or Abandoned Domains: Any domains previously registered but left to expire.

Platform(s): 

Google Cloud, Cloudflare, Re-registered / Expired Domains, and Open Redirect Services (e.g., Google Accelerated Mobile Pages (AMP), Software-as-a-Service (SaaS) platforms).

Description: 

According to the cybersecurity experts, the attackers create fake websites that look exactly like the real login pages of well-known companies (including big defence, finance, and tech firms). Their goal is to trick people into entering their usernames, passwords, and even security codes. Once stolen, this information can be used to hack accounts, steal money, spread malware, or commit fraud.

The group has built an “empire” of fake sites, with almost 50,000 fake hosts across many servers. To stay hidden, they use clever tricks:

• They buy expired websites that already have a good reputation in Google search.
• They make sure Google’s systems see a harmless version of the site, while real users see the fake login page.
• They even load some images or files directly from the real company’s website, so the fake page looks even more convincing.

Because of these tactics, the operation managed to run for years without being shut down.

Impacts: 

• Credential compromise & account takeover (ATO) including Multi-Factor-Authentication (MFA) bypass where Adversary-in-the-Middle (AiTM) kits are used.
• Brand/reputation damage and potential regulatory exposure where cloned sites load legitimate brand assets.
• Downstream malware delivery (e.g., RATs via Cloudflare-hosted chains in adjacent campaigns). .

Solutions: 

What Users Should Do:

• Do not rely on search results for logins. Always type the web address yourself (e.g., www.yourbank.com) or use bookmarks you created earlier.
• Look carefully at website addresses. Fake sites often use unusual spellings or extra words.
• Use stronger sign-in methods. Where possible, use security keys or passkeys (FIDO2/WebAuthn) instead of just passwords and codes. These are very hard for attackers to steal.
• Be alert for suspicious redirects. If a link takes you through multiple pages before reaching a login, it could be a trap.
• Report suspicious sites. If you see a fake site pretending to be your organization, report it immediately to IT/security teams.

  What Organizations Should Do:

• Protect your domains: Renew important website names on time so criminals can’t take them over.
• Monitor your brand: Regularly check if fake versions of your website exist and request takedowns quickly.
• Strengthen staff login security: Use multi-factor authentication, preferably phishing-resistant methods.
• Train employees: Remind staff to never log in through links in emails or search results.

References:

• https://www.darkreading.com/cloud-security/phishing-empire-undetected-google-cloudflare

• https://malwaretips.com/threads/phishing-empire-runs-undetected-on-google-cloudflare.137414/

• https://reporter.deepspecter.com/the-cloak-and-the-dagger-how-google-and-cloudflare-missed-a-global-phishing-empire-ed7176ebf82f

• https://gbhackers.com/google-cloud-and-cloudflare/

• https://cyberpress.org/stealth-phishing-campaign/

Advisory ID: NCC-CSIRT-2025-012

Summary: 

Security experts have discovered a new type of cybersecurity attack targeting Linux systems. Criminals are hiding malicious code inside the names of files stored in a compressed archive (RAR file). This trick enables the malware to bypass many antivirus programs because the harmful code is not embedded within the file itself, but rather in the file’s name. Victims usually receive this malware through emails, pretending to be surveys or promotions. Once the attached .rar file is opened, the hidden code can run if the system or scripts process the filename in an unsafe way. The final result is the installation of a powerful backdoor program (called VShell) that gives attackers complete control of the infected system. 

Damage/Probability: High/Critical

Product(s): 

IoT devices and embedded systems running Linux

Version(s): 

All versions of Linux systems, including servers, cloud platforms, IoT devices, and automated scripts that process RAR files

Platform(s): 

Linux OS

Description: 

Hackers have found a new way to attack Linux computers by hiding harmful code inside the names of files in a RAR archive. Normally, antivirus software looks inside files for threats, but in this case, the danger is in the filename itself, so it often goes undetected.

The attack usually starts with a fake email that has a .rar file attached. When the file is opened and the filenames are handled carelessly by the computer or scripts, the hidden code runs automatically. This code then downloads more malware, which installs a secret program called VShell.

Once installed, VShell gives the hacker full control of the computer: they can steal or delete files, run programs, spy on activity, or even use the machine to attack others. What makes this attack especially dangerous is that the malware runs only in the computer’s memory (not saved on disk), and it pretends to be a normal system process, making it very hard to notice or remove.

Impacts: 

If the attack succeeds, hackers can take over Linux system, steal sensitive data, disrupt services, and use computers for other crimes, all while staying hidden.

Solutions: 

• Be suspicious of unexpected attachments, especially .rar files. If you are not expecting it, do not open it.
• Update and secure script. If you use Linux scripts, avoid unsafe commands like eval and always quote filenames properly.
• Use security tools that monitor behavior, not just file content. Endpoint protection systems that watch for unusual memory activity are more likely to catch this.
• Restrict internet access on sensitive servers to only trusted websites.
• Stay aware! Even something as “harmless” as a filename can be weaponized.

References:

• https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html

• https://nubetia.com/linux-malware-exploits-malicious-rar-filenames-to-evade-antivirus-detection/

• https://cybersecuritycue.com/linux-malware-exploits-malicious-rar-filename/