A new variant of the Vo1d malware botnet has infected 1,590,299 Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks. The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices into proxy servers to facilitate illegal operations. Web antivirus researchers found 1.3 million devices across 200 countries compromised by Vo1d malware via an unknown infection vector. The Vo1d botnet is one of the largest seen in recent years, surpassing Bigpanzi, the original Mirai operation, and the botnet responsible for a record-breaking 5.6 Tbps DDoS attack handled by Cloudflare last year. "We speculate that the phenomenon of "rapid surges followed by sharp declines" may be attributed to Vo1d leasing its botnet infrastructure in specific regions to other groups. XLab's recent report indicates that the new version of the Vo1d botnet continues its operations on a larger scale, not deterred by the previous exposure. This reintegration leads to a rapid spike in infection counts as the bots become active again under Vo1d's control. The researchers report that the botnet has had notable infection surges, like going from 3,900 to 217,000 bots in India within just three days. The largest fluctuations suggest that the botnet operators may be "renting" devices as proxy servers, which are commonly used to conduct further illegal activity or botting. Given that the infection chain remains unknown, it is recommended that Android TV users follow a holistic security approach to mitigate the Vo1d threat. This is according to an investigation by Xlab, which has been tracking the new campaign since last November, reporting that the botnet peaked on January 14, 2025, and currently has 800,000 active bots. This diversion causes a sudden drop in Vo1d's infection count as the bots are temporarily removed from its active pool. At the start of a lease, bots are diverted from the main Vo1d network to serve the lessee's operations. Moreover, the researchers underline that the botnet has evolved with advanced encryption (RSA + custom XXTEA), resilient DGA-powered infrastructure, and enhanced stealth capabilities. Once the lease period ends, the bots rejoin the Vo1d network. The malware has specific plugins that automate ad interactions and simulate human-like browsing behavior, as well as the Mzmess SDK, which distributes fraud tasks to different bots. Another function of Vo1d is ad fraud, faking user interactions by simulating clicks on ads or views on video platforms to generate revenue for fraudulent advertisers. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The first step is buying devices from reputable vendors and trustworthy resellers to minimize the likelihood of malware being pre-loaded from the factory or while in transit. Infected devices relay malicious traffic for the cybercriminals, hiding the origin of their activity and blending in with residential network traffic.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Feb 2025 22:50:17 +0000