Security researchers discover Vo1d malware in 1.3 million Android TV boxes

MW
Mike Wheatley
Security researchers discover Vo1d malware in 1.3 million Android TV boxes

Security researchers say that a new strain of malware known as Vo1d has infected almost 1.3 million Android-based streaming boxes globally.

The discovery has come as a big shock to the cybersecurity community, raising concerns for users of smart home device users in every country.

The malware was discovered on Android TV boxes in 197 countries, with Brazil, Morocco and Pakistan said to be among the hardest hit, according to the Russian antivirus vendor Doctor Web, which first discovered the malware.

It’s said to target a number of specific low-cost Android TV devices, such as the R4 TV box model running Android 7.1.2, a TV Box running Android 12.1, and the KJ-SMART4KVIP TV box running Android 10.1.

Doctor Web said Vo1d acts as a backdoor on infected TV boxes, sneaking its components into the system storage area, so it can discreetly download and install other kinds of malicious software on command. It also makes extensive efforts to prevent itself being deleted, changing some important system files so it reappears after the TV box is restarted.

“When commanded by attackers, it is capable of secretly downloading and installing third-party software,” Doctor Web said in its report.

Especially worrying is that the researchers were unable to discover how Vo1d came to infect the TV boxes. They suspect it might use another malware that exploits system weaknesses, or alternatively hide itself in unofficial firmware updates that come with built-in vulnerabilities.

Android TV streaming boxes may not contain the same sensitive data as a smartphone or PC, but users still have plenty of reason to be alarmed about the prospect of running an infected device. Ray Kelly, a fellow at the Synopsys Software Integrity Group, told Forbes that the Vo1d malware’s ability to download and install arbitrary apps puts owners at risk of a number of threats. For instance, their TV could be used as part of a botnet that carries out distributed denial of service attacks, or else it could steal user’s account credentials on apps like Netflix and Amazon Prime Video.

Kelly added that it’s up to the manufacturers of the Android TV boxes to protect users, calling on them to ensure their products are “thoroughly tested for security vulnerabilities”.

Unfortunately, the reality is that many manufacturers of cheap and cheerful Android TV boxes don’t really care that much what happens to their users. Their business model involves manufacturing these devices as cheaply as possible, and to do this they often use an outdated version of Android TV, and sometimes even pass it off as a more recent version to make their products look more attractive. They also don’t use the official Android TV platform, instead opting for the open-source variant of Android that has far less protections built in.

PC Mag says one of the best ways to protect your TV box from external threats is to make sure its firmware is kept up to date, as the latest updates often come with patches for recent security flaws. In addition, users can install an antivirus app on their Android TV boxes.

A spokesperson for Google added that the kinds of devices found to be infected are not “Play Protect certified”, which means that Google “doesn’t have any record of their security and compatibility test results.”

Any device that has been Play Protect certified will have undergone testing to ensure both its quality and user safety, but those that are not certified generally do not go through these kinds of tests. Simply put, when you invest in a cheap and cheerful Android TV box to save money, you may well end up paying for it in a different way.

Google offers a dedicated support page for users to check which devices have received Play Protect certification.