A sophisticated botnet operation has compromised 1.6 million Android TV devices across 226 nations, leveraging advanced domain generation algorithms and cryptographic evasion techniques to create the largest known IoT threat since the 2016 Mirai attacks. With 1.6 million devices capable of generating 1.2 petabits/sec of malicious traffic, the botnet represents an existential threat to CDN providers (Cloudflare, Akamai), broadcast infrastructure (ATSC 3.0 networks), and smart city IoT grids. “On December 8, 2024, while monitoring 135 million Bot IPs through a DGA C2 sinkhole, we noticed an unusually low infection count in China, only a few dozen cases despite the country’s vast number of Android TV devices”, reads XLab’s report. Researchers attribute these fluctuations to a “botnet leasing” model where criminal groups temporarily acquire device clusters for DDoS (≤5.6 Tbps) or proxy services. Dubbed Vo1d, this operation represents a paradigm shift in large-scale device hijacking through its multi-layered infrastructure and novel ASR-XXTEA encryption variant. Persistence Mechanisms: Final payloads deploy DexLoader APKs (MD5: 68ec86a761233798142a6f483995f7e9) masquerading as Google Play Services, using XML attribute spoofing. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The campaign began on November 28, 2024, when researchers detected IP 38.46.218.36 distributing the jddx ELF loader using Bigpanzi-style string obfuscation. This evolving crisis underscores the urgent need for mandatory SBOM disclosures in IoT supply chains and international cooperation to dismantle the Vo1d infrastructure. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Loader Components: Initial downloaders like s63 establish TLS 1.3 connections to hardcoded C2s (ssl8rrs2.com:55600) using RSA-2048/OAEP padding for key exchange.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Feb 2025 08:45:15 +0000