Cybercriminals continue to enhance the capabilities of the botnet known as Vo1d, which has grown significantly over the past half a year.
In September 2024, Russian security firm Doctor Web warned that 1.3 million Android TV boxes around the world had been ensnared in the Vo1d botnet.
Chinese security company QiAnXin (QAX) has also monitored the threat and on Thursday reported seeing nearly 90 new samples of the malware. Its researchers have observed activity from roughly 800,000 unique IPs associated with the botnet every day, with a peak at nearly 1.6 million on January 14, 2025.
According to QiAnXin, the botnet has evolved in terms of stealth, resilience and anti-detection capabilities. Specifically, the cybercriminals are attempting to prevent command and control (C&C) domain takeover by using RSA encryption to secure communication.
The botnet’s resilience and flexibility have been enhanced through the use of hardcoded and DGA-based redirector C&C servers. In an effort to increase the difficulty of analyzing the malware, each payload now uses a unique downloader with XXTEA encryption and RSA-protected keys.
The Vo1d botnet has mainly been used for anonymous proxy services and for ad/click fraud. Proxy services can make a lot of money for cybercriminals, as demonstrated by the 911 S5 (Cloud Router) botnet, which helped its operators make $99 million.
However, such a big botnet could be abused for various other purposes as well, including massive DDoS attacks, as well as to broadcast unauthorized content to the large number of infected Android TV boxes.
Nearly a quarter of the Vo1d-infected devices are in Brazil, followed by South Africa (13%), Indonesia (10%), Argentina (5%), Thailand (3%), and China (3%) — infections have been seen across over 200 countries and regions.
As for how these Android TV devices are getting infected with the Vo1d malware, researchers believe it’s either through a supply chain attack (the malware is pre-installed by some manufacturers), or due to users failing to secure their devices and installing malicious software disguised as useful apps and tools.
QiAnXin researchers also reported finding some links to Bigpanzi, another botnet powered by a significant number of Android TV boxes.
Related: Botnet of 190,000 BadBox-Infected Android Devices Discovered
Related: Chinese Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts
Related: Aquabot Botnet Targeting Vulnerable Mitel Phones
Related: Murdoc Botnet Ensnaring Avtech, Huawei Devices
