Close Menu
newsletter
Innovation

Vo1d Malware Botnet Now Controls 1.6M Devices

Press RoomBy 4 Mins Read
Vo1d Malware Botnet Now Controls 1.6M Devices

Cybercriminals are constantly evolving their methods, and the latest example of this is the alarming spread of the Vo1d malware botnet. This highly sophisticated malware has now infected 1,590,299 Android TV devices across 226 countries, transforming them into anonymous proxy servers for illicit activities. What makes this malware particularly concerning is its resilience and ability to grow despite previous exposure by security researchers.

According to an investigation by XLab, Vo1d reached its peak infection rate on January 14, 2025, with 800,000 active bots currently in operation. Researchers speculate that the botnet is being leased to cybercriminal groups for various illegal operations, from ad fraud to bypassing regional internet restrictions. The botnet’s infection patterns suggest that devices are being rented out and then returned, leading to sharp surges and declines in the number of active bots in specific regions. The most significant impact has been recorded in Brazil, South Africa, Indonesia, Argentina, Thailand, and China.

Vo1d Malware Explained

Vo1d is not just another botnet—it is one of the largest and most advanced in recent years, surpassing even notorious botnets like Mirai and Bigpanzi. Its sophisticated Command and Control infrastructure employs 2048-bit RSA encryption and Domain Generation Algorithms, making it incredibly difficult to dismantle. The malware uses 32 DGA seeds to generate over 21,000 C&C domains, ensuring that it remains operational despite efforts to disrupt its network.

One of the primary functions of Vo1d is transforming infected devices into proxy servers. This allows cybercriminals to reroute malicious traffic through these compromised devices, obscuring their original locations and avoiding detection. These proxies can be used for a range of illicit activities, including:

  • Ad Fraud: The malware can manipulate online advertising systems by generating fake clicks and views to artificially inflate revenue for fraudulent advertisers.
  • Illegal Transactions: Threat actors can use infected devices to carry out financial fraud, identity theft, and other cybercrimes while appearing to operate from legitimate IP addresses.
  • Security Evasion: The botnet enables criminals to bypass geo-restrictions, content filters, and cybersecurity defenses, making it more difficult for law enforcement to trace their activities.

What makes Vo1d even more dangerous is its evolving nature. The latest version includes enhanced stealth capabilities and custom XXTEA encryption, further complicating detection and removal efforts. Even if researchers manage to register a C&C domain, they cannot issue commands to disable the botnet due to the strong encryption measures in place.

Vo1d also deploys specialized plugins, including the Mzmess SDK, which coordinates fraudulent ad-clicking activities. This SDK enables the botnet to simulate human-like interactions, tricking advertising networks into paying for fake engagement. Additionally, Vo1d has the capability to harvest system information from infected devices, including IP addresses, device specifications, and network details, which could be leveraged for further cyberattacks.

Another notable aspect of Vo1d’s evolution is its infection technique. While the precise infection vector remains unknown, researchers suspect that it spreads through malicious firmware updates, sideloaded applications, or vulnerabilities in Android TV systems. Some indications suggest that compromised third-party app stores and illicit streaming services may play a role in distributing the malware.

The botnet’s infrastructure also includes a layered obfuscation mechanism, making it difficult for security researchers to analyze and take down. Each infected device communicates with multiple C&C servers in a decentralized manner, reducing the risk of the entire network collapsing if specific nodes are shut down. Furthermore, Vo1d can dynamically update its payload, allowing it to introduce new features or evade security measures over time.

7 Essential Tips to Stay Safe

Given the scale and complexity of this and other botnets, consumers must adopt a proactive approach to cybersecurity. Android TV users and IoT device owners should take the following precautions to minimize the risk of infection:

  1. Only buy Android TV and IoT devices from trusted manufacturers and authorized resellers. Avoid purchasing from third-party sources that may preload devices with malware.
  2. Cybercriminals exploit vulnerabilities in outdated software. Ensure that all firmware and security updates are installed promptly to close potential security gaps.
  3. Do not install apps from outside the Google Play Store or third-party firmware images that promise extended functionality. These often contain hidden malware.
  4. If your Android TV or IoT device has remote access enabled, disable it unless it is absolutely necessary. This reduces the risk of unauthorized access by cybercriminals.
  5. Disconnect devices from the internet when they are not actively being used.
  6. Configure your home network to separate IoT devices from computers and smartphones that contain sensitive data. This way, even if an IoT device is infected, it cannot easily spread malware to other crucial systems.
  7. Use security software or a network monitoring tool to detect abnormal internet traffic patterns that could indicate a compromised device.
Share.

Related Articles