A brand new variant of the Vo1d malware botnet has grown to 1,590,299 contaminated Android TV gadgets throughout 226 nations, recruiting gadgets as a part of nameless proxy server networks.
That is in line with an investigation by Xlab, which has been monitoring the brand new marketing campaign since final November, reporting that the botnet peaked on January 14, 2025, and at the moment has 800,000 lively bots.
In September 2024, Dr. Internet antivirus researchers discovered 1.3 million gadgets throughout 200 nations compromised by Vo1d malware through an unknown an infection vector.
XLab’s latest report signifies that the brand new model of the Vo1d botnet continues its operations on a bigger scale, not deterred by the earlier publicity.
Furthermore, the researchers underline that the botnet has advanced with superior encryption (RSA + customized XXTEA), resilient DGA-powered infrastructure, and enhanced stealth capabilities.
Supply: XLab
Large botnet measurement
The Vo1d botnet is without doubt one of the largest seen in recent times, surpassing Bigpanzi, the unique Mirai operation, and the botnet accountable for a record-breaking 5.6 Tbps DDoS assault dealt with by Cloudflare final yr.
As of February 2025, practically 25% of the infections affect Brazilian customers, adopted by gadgets in South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%), and China (3.1%).
The researchers report that the botnet has had notable an infection surges, like going from 3,900 to 217,000 bots in India inside simply three days.
The biggest fluctuations recommend that the botnet operators could also be “renting” gadgets as proxy servers, that are generally used to conduct additional criminality or botting.
“We speculate that the phenomenon of “fast surges adopted by sharp declines” could also be attributed to Vo1d leasing its botnet infrastructure in particular areas to different teams. Here is how this “rental-return” cycle may work:
Leasing Part:
Firstly of a lease, bots are diverted from the principle Vo1d community to serve the lessee’s operations. This diversion causes a sudden drop in Vo1d’s an infection depend because the bots are quickly faraway from its lively pool.
Return Part:
As soon as the lease interval ends, the bots rejoin the Vo1d community. This reintegration results in a fast spike in an infection counts because the bots develop into lively once more underneath Vo1d’s management.
This cyclical mechanism of “leasing and returning” may clarify the noticed fluctuations in Vo1d’s scale at particular time factors.”
❖ Xlab
The size of its command and management (C2) infrastructure can be spectacular, with the operation utilizing 32 area technology algorithm (DGA) seeds to supply over 21,000 C2 domains.
C2 communication is protected by a 2048-bit RSA key, so even when researchers determine and register a C2 area, they don’t seem to be capable of difficulty instructions to the bots.
Supply: XLab
Vo1d capabilities
The Vo1d botnet is a multi-purpose cybercrime device that turns compromised gadgets into proxy servers to facilitate unlawful operations.
Contaminated gadgets relay malicious visitors for the cybercriminals, hiding the origin of their exercise and mixing in with residential community visitors. This additionally helps the risk actors bypass regional restrictions, safety filtering, and different protections.
One other operate of Vo1d is advert fraud, faking consumer interactions by simulating clicks on adverts or views on video platforms to generate income for fraudulent advertisers.
The malware has particular plugins that automate advert interactions and simulate human-like looking conduct, in addition to the Mzmess SDK, which distributes fraud duties to totally different bots.
On condition that the an infection chain stays unknown, it is suggested that Android TV customers comply with a holistic safety strategy to mitigate the Vo1d risk.
Step one is shopping for gadgets from respected distributors and reliable resellers to reduce the probability of malware being pre-loaded from the manufacturing unit or whereas in transit.
Secondly, it is crucially necessary to put in firmware and safety updates that shut gaps that could be leveraged for distant infections.
Thirdly, customers ought to keep away from downloading apps exterior of Google Play or third-party firmware pictures that promise prolonged and “unlocked” performance.
Android TV gadgets ought to have their distant entry options disabled if not wanted, whereas taking them offline when not used can be an efficient technique.
Finally, IoT gadgets needs to be remoted from worthwhile gadgets that maintain delicate information on the community degree.
