Hackers are upping their game, getting better through attacks and strategies. The latest incident of this rise is the disturbing spread of the Vo1d malware botnet. Vo1d is a highly sophisticated malware and infected around 1,590,299 Android TV devices throughout 226 countries, changing them into “anonymous proxy servers" for malicious activities.
Why is Vo1d malware so dangerous?
Vo1d is considered dangerous because of its persistence and potential to expand despite earlier discoveries by cybersecurity experts.
Research by Xlab suggests Void had 800,000 active bots, “Peaking at 1,590,299 on January 14, 2025.” Experts believe the botnet is being rented to hacking groups for various illegal activities, from escaping regional internet restrictions to ad frauds.
Vo1d’s campaign trend suggests that the devices are leased out and then returned, causing a sharp rise and fall in the number of active bots in particular regions. The highest impact has been noticed in South Africa, Argentina, Brazil, China, and Thailand.
About Vo1d Malware
Vo1d is not your average Joe, it is one of the most advanced and biggest malware in recent years, outperforming deadly botnets such as Bigpanzi and Mirai. Its Command and Control (C2) framework uses 2048-bit RSA encryption and Domain Generation Algorithms, making it indestructible. Vo1d uses 32 DGA seeds to create over 21,000 C2 domains, making it operational despite attempts to close its network.
It transforms infected devices into proxy servers, allowing threat actors to reroute malicious traffic via infected devices, hiding their source location and escaping detection.
The proxies are then used for various illegal activities such as:
- Illegal Transactions
- Security evasion
- Advertising Frauds
What makes Vo1d even more dangerous is its evolving nature
V01d is considered a severe threat due to its “evolving nature”. According to Forbes, the “latest version includes enhanced stealth capabilities and custom XXTEA encryption, further complicating detection and removal efforts.” In case researchers can register a C2 domain, they “can’t issue commands to disable the botnet due to the strong encryption measures in place."
The malware also uses special plugins like Mzmess SDK, used for ad-clicking scams. The SDK allows the botnet to mimic “human-like” interface, scamming advertising networks into payments. Vo1d can also harvest system data such as IPs, device specs, and network info from compromised devices. This can trigger further attacks.
Evolution of Vo1d malware
Another important highlight about Vo1d’s expansion is its attack strategy. Although the experts don't know the infection vector, they believe the malware distributes via harmful firmware updates, Android TV system vulnerabilities, or sideloaded apps. Experts also suspect that illegal streaming services and infected third-party app stores may contribute to spreading the malware.
Tips to Stay Safe
IoT and Android TV users should follow these precautions to lower the chances of attacks:
- Update update update! Hackers exploit vulnerabilities in outdated software.
- Buy IoT devices and Android TV from authorised manufacturers. Avoid third party sellers.
- Disable “remote access” (if enabled) on your Android TV and IoT device, unless absolutely needed.
- Only install apps from Google Play Store. Avoid installing apps from third-party.
- Disconnect inactive devices from the internet, if not in use.
- Use a network monitoring tool to identify malicious internet traffic patterns and find out about a compromised device.
Users should be more careful
Xlab warns about the dangers of Vo1d malware, “Many users harbor misconceptions about the security of TV boxes, deeming them safer than smartphones and thus rarely installing protective software.”
Higlighting the dangers of using modded apps and software, Xlab says the “widespread practice of downloading cracked apps, third-party software, or flashing unofficial firmware—often to access free media—greatly increases device exposure, creating fertile ground for malware proliferation.”