September 12, 2024
In August 2024, Physician Net was contacted by a number of customers whose Dr.Net antivirus had detected modifications of their gadget’s system file space. The issue occurred with these fashions:
| TV field mannequin | Declared firmware model |
|---|---|
| R4 | Android 7.1.2; R4 Construct/NHG47K |
| TV BOX | Android 12.1; TV BOX Construct/NHG47K |
| KJ-SMART4KVIP | Android 10.1; KJ-SMART4KVIP Construct/NHG47K |
All these circumstances concerned comparable indicators of an infection, so we are going to describe them utilizing one of many first requests we acquired for example. The next objects had been modified on the affected TV field:
- install-recovery.sh
- daemonsu
As well as, 4 new information emerged in its file system:
- /system/xbin/vo1d
- /system/xbin/wd
- /system/bin/debuggerd
- /system/bin/debuggerd_real
The vo1d and wd information are the parts of the Android.Vo1d trojan that we found.
The trojan’s authors in all probability tried to disguise one if its parts because the system program /system/bin/vold, having known as it by the similar-looking identify “vo1d” (substituting the lowercase letter “l” with the quantity “1”). The trojan horse’s identify comes from the identify of this file. Furthermore, this spelling is consonant with the English phrase “void”.
The install-recovery.sh file is a script that’s current on most Android gadgets. It runs when the working system is launched and accommodates information for autorunning the weather laid out in it. If any malware has root entry and the power to write down to the /system system listing, it may anchor itself within the contaminated gadget by including itself to this script (or by creating it from scratch if it isn’t current within the system). Android.Vo1d has registered the autostart for the wd element on this file.
The modified install-recovery.sh file
The daemonsu file is current on many Android gadgets with root entry. It’s launched by the working system when it begins and is answerable for offering root privileges to the person. Android.Vo1d registered itself on this file, too, having additionally arrange autostart for the wd module.
The debuggerd file is a daemon that’s usually used to create experiences on occurred errors. However when the TV field was contaminated, this file was changed by the script that launches the wd element.
The debuggerd_real file within the case we’re reviewing is a duplicate of the script that was used to substitute the actual debuggerd file. Physician Net specialists consider that the trojan’s authors meant the unique debuggerd to be moved into debuggerd_real to take care of its performance. Nonetheless, as a result of the an infection in all probability occurred twice, the trojan moved the already substituted file (i.e., the script). In consequence, the gadget had two scripts from the trojan and never a single actual debuggerd program file.
On the identical time, different customers who contacted us had a barely totally different record of information on their contaminated gadgets:
- daemonsu (the vo1d file analogue — Android.Vo1d.1);
- wd (Android.Vo1d.3);
- debuggerd (the identical script as described above);
- debuggerd_real (the unique file of the debuggerd device);
- install-recovery.sh (a script that hundreds objects laid out in it).
An evaluation of all of the aforementioned information confirmed that with a purpose to anchor Android.Vo1d within the system, its authors used at the least three totally different strategies: modification of the install-recovery.sh and daemonsu information and substitution of the debuggerd program. They in all probability anticipated that at the least one of many goal information could be current within the contaminated system, since manipulating even one in all them would make sure the trojan’s profitable auto launch throughout subsequent gadget reboots.
Android.Vo1d’s important performance is hid in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) parts, which function in tandem. The Android.Vo1d.1 module is answerable for Android.Vo1d.3’s launch and controls its exercise, restarting its course of if obligatory. As well as, it may obtain and run executables when commanded to take action by the C&C server. In flip, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that’s encrypted and saved in its physique. This module also can obtain and run executables. Furthermore, it screens specified directories and installs the APK information that it finds in them.
A examine carried out by Physician Net malware analysts confirmed that the Android.Vo1d backdoor has contaminated round 1.3 million gadgets, whereas its geographical distribution included nearly 200 nations. The most important variety of infections had been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.
International locations with the best variety of contaminated gadgets detected
One attainable purpose why the attackers distributing Android.Vo1d particularly selected TV packing containers is that such gadgets typically run on outdated Android variations, which have unpatched vulnerabilities and are not supported with updates. For instance, the customers who contacted us have fashions which might be primarily based on Android 7.1, although for a few of them the configuration signifies a lot newer variations, equivalent to Android 10 and Android 12. Sadly, it isn’t unusual for finances gadget producers to make the most of older OS variations and move them off as extra up-to-date ones to make them extra enticing.
As well as, customers themselves could mistakenly understand TV packing containers to be higher protected gadgets, in comparison with smartphones. In consequence, they could set up anti-virus software program on these much less typically and danger encountering malware when downloading third-party apps or putting in unofficial firmware.
For the time being, the supply of the TV packing containers’ backdoor an infection stays unknown. One attainable an infection vector may very well be an assault by an intermediate malware that exploits working system vulnerabilities to realize root privileges. One other attainable vector may very well be the usage of unofficial firmware variations with built-in root entry.
Dr.Net anti-virus for Android efficiently detects all recognized Android.Vo1d trojan variants, and, if root entry is offered, cures the contaminated gadgets.
Extra particulars on Android.Vo1d.1
Extra particulars on Android.Vo1d.3
Extra particulars on Android.Vo1d.5