Practically 1.3 million Android-based TV bins working outdated variations of the working system and belonging to customers spanning 197 international locations have been contaminated by a brand new malware dubbed Vo1d (aka Void).
“It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software,” Russian antivirus vendor Physician Internet mentioned in a report revealed at the moment.
A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.
It is at the moment not recognized what the supply of the an infection is, though it is suspected that it could have both concerned an occasion of prior compromise that permits for gaining root privileges or using unofficial firmware variations with built-in root entry.
The next TV fashions have been focused as a part of the marketing campaign –
- KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Construct/NHG47K)
- R4 (Android 7.1.2; R4 Construct/NHG47K)
- TV BOX (Android 12.1; TV BOX Construct/NHG47K)
The assault entails the substitution of the “/system/bin/debuggerd” daemon file (with the unique file moved to a backup file named “debuggerd_real”), in addition to the introduction of two new information – “/system/xbin/vo1d” and “/system/xbin/wd” – which include the malicious code and function concurrently.
“Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons,” Google notes in its Android documentation. “In Android 8.0 and higher, crash_dump32 and crash_dump64 are spawned as needed.”
Two totally different information shipped as a part of the Android working system – install-recovery.sh and daemonsu – have been modified as a part of the marketing campaign to set off the execution of the malware by beginning the “wd” module.
“The trojan’s authors probably tried to disguise one if its components as the system program ‘/system/bin/vold,’ having called it by the similar-looking name ‘vo1d’ (substituting the lowercase letter ‘l’ with the number ‘1’),” Physician Internet mentioned.
The “vo1d” payload, in flip, begins “wd” and ensures it is persistently working, whereas additionally downloading and working executables when instructed by a command-and-control (C2) server. Moreover, it retains tabs on specified directories and installs the APK information that it finds in them.
“Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive,” the corporate mentioned.
