Android.Vo1d: Hackers Infiltrate Homes Through TV Set-Top Boxes

Friend

Friend

Professional
Messages
2,667
Reaction score
876
Points
113
The mass infection of 1.3 million devices around the world has forced us to take a closer look at the danger.

Dr.Web specialists have discovered a new case of mass infection of Android-based set-top boxes. Dubbed Android.Vo1d, the malware has infected around 1.3 million devices in 197 countries.

Android.Vo1d is a backdoor that places its components in the system memory area of the device. When receiving commands from the attackers, it is capable of silently downloading and installing third-party software.

In August 2024, Doctor Web was contacted by users whose Dr.Web antiviruses detected changes in the system files of their set-top boxes. The problem affected the models:
  • R4 (Android 7.1.2);
  • TV BOX (Android 12.1);
  • KJ-SMART4KVIP (Android 10.1).

In all cases, similar signs of infection were observed. The following objects have been modified or added to the device system files: the modified install-recovery.sh and daemonsu files, as well as the new /system/xbin/vo1d, /system/xbin/wd, /system/bin/debuggerd, and /system/bin/debuggerd_real files.

The vo1d and wd files are components of the Android.Vo1d Trojan. The attackers tried to disguise one of the components as the system program /system/bin/vold, replacing the letter "l" with the number "1" in the name.

The Trojan makes changes to the install-recovery.sh script that runs at operating system startup to allow the wd component to run automatically. The daemonsu file, which is responsible for granting root privileges, is also modified for the same purpose. The debuggerd file, commonly used for error reporting, is replaced by the script that runs the wd component.

Android.Vo1d uses several methods to ensure its activity on infected devices:
  1. Modification of the start script: modifies the install-recovery.sh file that runs at system startup by adding its own components to it.
  2. Root Exploitation: Modifies the root-related daemonsu file to run malware on boot.
  3. System daemon replacement: Replaces the debuggerd system daemon with a malicious script to run its components.

Such tactics increase the likelihood that at least one of the methods will successfully launch the malware when the device is rebooted.

The core functionality of Android.Vo1d is contained in the vo1d and wd components, which work in tandem. The vo1d module starts wd and monitors its activity, restarting the process if necessary. Both modules can download and run executables, as well as install detected APKs.

According to Doctor Web, the largest number of infections was registered in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Ecuador, Tunisia, Malaysia, Algeria and Indonesia.

The source of infection of TV set-top boxes is still unknown. It is possible that intermediate malware is used to exploit OS vulnerabilities to gain root access, or unofficial firmware versions with built-in privileges.

One of the reasons why attackers choose TV set-top boxes may be that these devices often run on outdated versions of Android with unpatched vulnerabilities. Some manufacturers use older versions of the OS, passing them off as newer ones to increase the attractiveness of devices. Users may mistakenly believe that TV boxes are more secure than smartphones and are less likely to install antivirus software on them, which increases the risk of infection when downloading third-party apps or installing unofficial firmware.

Source
 
Friend said:
The mass infection of 1.3 million devices around the world has forced us to take a closer look at the danger.

Dr.Web specialists have discovered a new case of mass infection of Android-based set-top boxes. Dubbed Android.Vo1d, the malware has infected around 1.3 million devices in 197 countries.

Android.Vo1d is a backdoor that places its components in the system memory area of the device. When receiving commands from the attackers, it is capable of silently downloading and installing third-party software.

In August 2024, Doctor Web was contacted by users whose Dr.Web antiviruses detected changes in the system files of their set-top boxes. The problem affected the models:
  • R4 (Android 7.1.2);
  • TV BOX (Android 12.1);
  • KJ-SMART4KVIP (Android 10.1).

In all cases, similar signs of infection were observed. The following objects have been modified or added to the device system files: the modified install-recovery.sh and daemonsu files, as well as the new /system/xbin/vo1d, /system/xbin/wd, /system/bin/debuggerd, and /system/bin/debuggerd_real files.

The vo1d and wd files are components of the Android.Vo1d Trojan. The attackers tried to disguise one of the components as the system program /system/bin/vold, replacing the letter "l" with the number "1" in the name.

The Trojan makes changes to the install-recovery.sh script that runs at operating system startup to allow the wd component to run automatically. The daemonsu file, which is responsible for granting root privileges, is also modified for the same purpose. The debuggerd file, commonly used for error reporting, is replaced by the script that runs the wd component.

Android.Vo1d uses several methods to ensure its activity on infected devices:
  1. Modification of the start script: modifies the install-recovery.sh file that runs at system startup by adding its own components to it.
  2. Root Exploitation: Modifies the root-related daemonsu file to run malware on boot.
  3. System daemon replacement: Replaces the debuggerd system daemon with a malicious script to run its components.

Such tactics increase the likelihood that at least one of the methods will successfully launch the malware when the device is rebooted.

The core functionality of Android.Vo1d is contained in the vo1d and wd components, which work in tandem. The vo1d module starts wd and monitors its activity, restarting the process if necessary. Both modules can download and run executables, as well as install detected APKs.

According to Doctor Web, the largest number of infections was registered in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Ecuador, Tunisia, Malaysia, Algeria and Indonesia.

The source of infection of TV set-top boxes is still unknown. It is possible that intermediate malware is used to exploit OS vulnerabilities to gain root access, or unofficial firmware versions with built-in privileges.

One of the reasons why attackers choose TV set-top boxes may be that these devices often run on outdated versions of Android with unpatched vulnerabilities. Some manufacturers use older versions of the OS, passing them off as newer ones to increase the attractiveness of devices. Users may mistakenly believe that TV boxes are more secure than smartphones and are less likely to install antivirus software on them, which increases the risk of infection when downloading third-party apps or installing unofficial firmware.

Source
Click to expand...
i asked some people about carding sites whats trending right now, can you give me some sites i can card ? for example a casino or something i can deposit money and withdraw on crypto, or crypto directly? i need to know whats trending because the site i used died
 
You must log in or register to reply here.

Similar threads

chushpan
📱 Android Debugging Invites Hackers: Vulnerability Is 3,000 Times Higher
Replies
0
Views
101
chushpan
chushpan
Man
UAT-5647: Quartet of hackers hacks into Ukrainian government agencies from within
Replies
0
Views
112
Man
Man
Friend
SSH backdoor on Linux: hackers armed themselves with new weapons
Replies
0
Views
113
Friend
Friend
Man
Invisible Linux on Windows: Hackers Mask Attacks Through QEMU
Replies
0
Views
123
Man
Man
chushpan
🛒 Hackers can turn any Bluetooth device into an AirTag and track its location
Replies
0
Views
138
chushpan
chushpan
Back
Top