The Vo1d botnet is wreaking havoc worldwide, with its latest campaign infecting Android TV devices across 226 countries. The most affected regions include Brazil, South Africa, Indonesia, Argentina, and Thailand, where malware-infected devices are being leveraged for illicit cyber activities.
Vo1d Botnet’s Rapid Growth
The botnet’s latest variant has demonstrated staggering growth, reaching a peak of 1,590,299 infected devices on January 19, 2025. On average, 800,000 daily active IPs are engaged in botnet activity. Notably, India experienced a drastic surge in infections, skyrocketing from less than 1% (3,901 devices) to 18.17% (217,771 devices) as of February 25, 2025.
According to QiAnXin XLab, Vo1d has undergone major enhancements to evade detection and improve its resilience. The botnet now employs RSA encryption to secure network communications, preventing takeover attempts. Each payload utilizes a unique downloader with XXTEA encryption and RSA-protected keys, making reverse engineering and analysis significantly more challenging.
How Vo1d Infiltrates Android TVs
First documented by Doctor Web in September 2024, Vo1d exploits vulnerabilities in Android-based TV boxes via a backdoor that allows it to download additional executables. While the exact attack vector remains unclear, cybersecurity experts suspect:
A supply chain attack involving compromised firmware
The distribution of unofficial firmware versions with built-in root access
Google clarified that the affected Android TV models are not Play Protect-certified and likely use Android Open Source Project (AOSP) code rather than official Google-certified software.
Expanding Cybercrime Capabilities
The latest iteration of the Vo1d botnet showcases its capability to operate at an unprecedented scale. The malware is primarily used to create proxy networks and conduct advertisement click fraud, but researchers warn of its potential for more dangerous exploits.
QiAnXin XLab suggests that Vo1d's fluctuating activity stems from a “rental-return” model, where cybercriminals lease parts of the botnet’s infrastructure for illicit operations before returning them to the larger Vo1d network.
Technical Analysis of Vo1d’s Malware Architecture
A recent analysis of Vo1d’s ELF malware variant (s63) reveals a multi-stage attack strategy:
Step 1: The malware downloads, decrypts, and executes a second-stage payload that establishes communication with a Command-and-Control (C2) server.
Step 2: The decrypted package (ts01) includes four core files:
install.sh(installation script)cv(launch component)vo1d(core malware module)x.apk(Android application)
Step 3: The
vo1dmodule decrypts and executes an embedded backdoor, enabling remote control capabilities.
Advanced Evasion Techniques
The latest Vo1d version introduces a Redirector C2, allowing the botnet to dynamically locate its real C2 server. The malware leverages:
A hardcoded Redirector C2
A large pool of dynamically generated domains (via Domain Generation Algorithm, DGA)
The malicious Android app associated with Vo1d disguises itself as Google Play Services, using the package name com.google.android.gms.stable to evade detection. It achieves persistence by automatically launching upon device reboot (BOOT_COMPLETED event).
Mzmess: A Modular Android Malware Linked to Vo1d
Vo1d is also linked to a modular Android malware called Mzmess, which deploys four distinct plugins:
Popa (
com.app.mz.popan) & Jaguar (com.app.mz.jaguarn) – Used for proxy servicesLxhwdg (
com.app.mz.lxhwdgn) – Function remains unclear due to an offline C2 serverSpirit (
com.app.mz.spiritn) – Engaged in ad fraud and traffic manipulation
Interestingly, researchers have found no direct infrastructure overlap between Mzmess and Vo1d, suggesting that cybercriminals may be renting the botnet’s services to other threat actors.
The Growing Cyber Threat Landscape
Vo1d’s extensive reach and sophisticated capabilities make it a serious cybersecurity threat. While currently focused on profit-driven cybercrime, its full control over infected devices presents a major risk for large-scale cyberattacks. Potential malicious uses include:
Distributed Denial-of-Service (DDoS) attacks
Unauthorized content broadcasting
More advanced cyber espionage campaigns
Final Thoughts
As Vo1d continues to evolve, organizations and individuals must strengthen their cybersecurity defenses against emerging botnet threats. Using Play Protect-certified Android devices, avoiding unofficial firmware, and staying vigilant against malware infiltration are critical steps in safeguarding against such infections.