1.3 million Android-based TV boxes backdoored; researchers still don’t know how

Researchers nonetheless don’t know the reason for a not too long ago found malware an infection affecting nearly 1.3 million streaming units operating an open supply model of Android in nearly 200 international locations.

Safety agency Physician Internet reported Thursday that malware named Android.Vo1d has backdoored the Android-based bins by placing malicious parts of their system storage space, the place they are often up to date with extra malware at any time by command-and-control servers. Google representatives stated the contaminated units are operating working techniques based mostly on the Android Open Supply Mission, a model overseen by Google however distinct from Android TV, a proprietary model restricted to licensed gadget makers.

Dozens of variants

Though Physician Internet has an intensive understanding of Vo1d and the distinctive attain it has achieved, firm researchers say they’ve but to find out the assault vector that has led to the infections.

“For the time being, the supply of the TV bins’ backdoor an infection stays unknown,” Thursday’s publish said. “One doable an infection vector might be an assault by an intermediate malware that exploits working system vulnerabilities to realize root privileges. One other doable vector might be using unofficial firmware variations with built-in root entry.”

The next gadget fashions contaminated by Vo1d are:

One doable reason for the infections is that the units are operating outdated variations which might be susceptible to exploits that remotely execute malicious code on them. Variations 7.1, 10.1, and 12.1, for instance, had been launched in 2016, 2019, and 2022, respectively. What’s extra, Physician Internet stated it’s commonplace for finances gadget producers to put in older OS variations in streaming bins and make them seem extra engaging by passing them off as extra up-to-date fashions.

Additional, whereas solely licensed gadget makers are permitted to change Google’s AndroidTV, any gadget maker is free to make modifications to open supply variations. That leaves open the likelihood that the units had been contaminated within the provide chain and had been already compromised by the point they had been bought by the tip consumer.

“These off-brand units found to be contaminated weren’t Play Protect certified Android devices,” Google stated in a press release. “If a tool is not Play Defend licensed, Google doesn’t have a file of safety and compatibility check outcomes. Play Defend licensed Android units bear in depth testing to make sure high quality and consumer security.”

The assertion stated folks can verify a tool runs Android TV OS by checking this link and following the steps listed here.

Physician Internet stated that there are dozens of Vo1d variants that use totally different code and plant malware in barely totally different storage areas, however that every one obtain the identical finish results of connecting to an attacker-controlled server and putting in a remaining element that may set up extra malware when instructed. VirusTotal reveals that a lot of the Vo1d variants had been first uploaded to the malware identification website a number of months in the past.

Researchers wrote:

All these circumstances concerned related indicators of an infection, so we’ll describe them utilizing one of many first requests we obtained for example. The next objects had been modified on the affected TV field:

• install-recovery.sh
• daemonsu

As well as, 4 new recordsdata emerged in its file system:

• /system/xbin/vo1d
• /system/xbin/wd
• /system/bin/debuggerd
• /system/bin/debuggerd_real

The vo1d and wd recordsdata are the parts of the Android.Vo1d trojan that we found.

The trojan’s authors most likely tried to disguise one if its parts because the system program /system/bin/vold, having known as it by the similar-looking title “vo1d” (substituting the lowercase letter “l” with the quantity “1”). The trojan horse’s title comes from the title of this file. Furthermore, this spelling is consonant with the English phrase “void”.

The install-recovery.sh file is a script that’s current on most Android units. It runs when the working system is launched and accommodates knowledge for autorunning the weather laid out in it. If any malware has root entry and the flexibility to jot down to the /system system listing, it could anchor itself within the contaminated gadget by including itself to this script (or by creating it from scratch if it’s not current within the system). Android.Vo1d has registered the autostart for the wd element on this file.

The daemonsu file is current on many Android units with root entry. It’s launched by the working system when it begins and is chargeable for offering root privileges to the consumer. Android.Vo1d registered itself on this file, too, having additionally arrange autostart for the wd module.

The debuggerd file is a daemon that’s usually used to create studies on occurred errors. However when the TV field was contaminated, this file was changed by the script that launches the wd element.

The debuggerd_real file within the case we’re reviewing is a duplicate of the script that was used to substitute the actual debuggerd file. Physician Internet consultants consider that the trojan’s authors supposed the unique debuggerd to be moved into debuggerd_real to take care of its performance. Nevertheless, as a result of the an infection most likely occurred twice, the trojan moved the already substituted file (i.e., the script). In consequence, the gadget had two scripts from the trojan and never a single actual debuggerd program file.

On the similar time, different customers who contacted us had a barely totally different checklist of recordsdata on their contaminated units:

• daemonsu (the vo1d file analogue — Android.Vo1d.1);
• wd (Android.Vo1d.3);
• debuggerd (the identical script as described above);
• debuggerd_real (the unique file of the debuggerd instrument);
• install-recovery.sh (a script that masses objects laid out in it).

An evaluation of all of the aforementioned recordsdata confirmed that as a way to anchor Android.Vo1d in the system, its authors used at the very least three totally different strategies: modification of the install-recovery.sh and daemonsu recordsdata and substitution of the debuggerd program. They most likely anticipated that at the very least one of many goal recordsdata can be current within the contaminated system, since manipulating even certainly one of them would make sure the trojan’s profitable auto launch throughout subsequent gadget reboots.

Android.Vo1d’s important performance is hid in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) parts, which function in tandem. The Android.Vo1d.1 module is chargeable for Android.Vo1d.3’s launch and controls its exercise, restarting its course of if obligatory. As well as, it could obtain and run executables when commanded to take action by the C&C server. In flip, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that’s encrypted and saved in its physique. This module can even obtain and run executables. Furthermore, it screens specified directories and installs the APK recordsdata that it finds in them.

The geographic distribution of the infections is huge, with the largest quantity detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

It’s not particularly simple for much less skilled folks to examine if a tool is contaminated in need of putting in malware scanners. Physician Internet stated its antivirus software program for Android will detect all Vo1d variants and disinfect units that present root entry. Extra skilled customers can examine indicators of compromise here.