# Enhanced Capabilities Sustain the Rapid Growth of Vo1d Botnet
The rapid growth of the Vo1d botnet can be attributed to its enhanced capabilities, which have enabled it to spread across 197 countries, infecting nearly 1.3 million Android-based TV boxes. In September 2024, Doctor Web researchers uncovered a malware, tracked as Vo1d, that had infected these devices.
The malicious code acts as a backdoor, allowing attackers to download and install third-party software secretly. This has led to several users reporting changes in their TV box system files, which were observed in various models, including the R4 (Android 7.1.2), TV BOX (Android 12.1), and KJ-SMART4KVIP (Android 10.1). The indicators of compromise included modifications to system files like install-recovery.sh and daemonsu, as well as the appearance of four new files: vo1d, wd, debuggerd, and debuggerd_real.
The Vo1d Android trojan was identified by experts, who noted that these files were used for payload delivery. The geographical distribution of the infections included almost 200 countries, with Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia reporting the largest number of infections.
The attackers' target is TV boxes because these devices often run outdated Android versions with unpatched vulnerabilities and lack updates. Users may also mistakenly believe that TV boxes are more secure than smartphones, leading them to install antivirus software less frequently and increasing their risk when downloading third-party apps or unofficial firmware.
Recently, researchers at the Chinese cybersecurity firm QiAnXin discovered 89 new malware samples. The botnet has approximately 800,000 daily active IPs, peaking at 1,590,299 on January 14, 2025. Vo1d botnet has enhanced its stealth and resilience with RSA encryption to secure communication, preventing C2 takeover.
Its infrastructure now includes hardcoded and DGA-based Redirector C2s for flexibility. Payload delivery is optimized with unique Downloaders using XXTEA encryption and RSA-protected keys, making analysis and detection significantly harder.
According to QiAnXin, Vo1d's main goal is building a proxy network, similar to 911 S5, which made $99M in illicit profits. In May 2024, an international law enforcement operation led by the U.S. DoJ disrupted the 911 S5 botnet and led to the arrest of its administrator, opening new opportunities for botnets providing anonymization services like Vo1d.
The geographical distribution of infected devices shows that 24.97% are in Brazil, followed by South Africa (13%), Indonesia (10%), Argentina (5%), Thailand (3%), and China (3%), spanning over 200+ regions.
"Vo1d's massive scale and continuous evolution pose a severe, long-term threat to global cybersecurity," concludes the report that includes Indicators of Compromise (IoCs). By sharing their findings, Doctor Web aims to contribute to the fight against cybercrime and raise awareness of this formidable threat.
Stay up-to-date with the latest cybersecurity news by following me on Twitter: @securityaffairs. You can also find me on Facebook and Mastodon.