Vo1d malware infects 1.3 million Android TV boxes in 197 countries

In a nutshell: Nearly 1.3 million Android-based TV boxes across 197 countries have reportedly been infected by a new malware known as "Vo1d." Although most of the affected devices are running outdated versions of Android, some are powered by relatively newer versions of the operating system.

The malware embeds itself within the system storage area, allowing it to download and install third-party software remotely when commanded by an attacker. The origin of the malware is currently unknown, but researchers suspect it may result from a prior compromise that exploits operating system vulnerabilities to gain root privileges. It could also have originated from unofficial firmware with built-in root access.

Affected devices include the R4 TV Box running Android 7.1.2 (Build NHG47K), the KJ-SMART4KVIP powered by Android 10.1 (Build NHG47K), and TV Box models with Android 12.1 (Build NHG47K).

In all these cases, the Android versions are outdated, potentially containing unpatched security flaws that make them vulnerable to malware attacks. Android versions 7.1, 10.1, and 12.1 were released in 2016, 2019, and 2022, respectively.

While the Vo1d malware has been detected in nearly every country worldwide, the highest number of infections have been reported in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. Brazil is the hardest hit, with approximately 28 percent of infected devices believed to be in use in the country.

Google clarified that Vo1d malware only affects devices running the Android Open Source Project (AOSP) and not its proprietary Android TV software. Google also pointed out that none of the affected devices are Play Protect-certified, meaning they did not undergo its extensive security and compatibility tests designed to ensure quality and user safety.

Play Protect is a Google service that performs safety checks on apps before they are downloaded from the Play Store. It also scans devices for potential malware from third-party app stores and sideloaded APKs. If harmful apps are detected, Play Protect deactivates them and notifies the user. Additionally, it can prevent the installation of unverified apps, especially those requesting sensitive device permissions commonly targeted by scammers to commit fraud.