A sophisticated botnet operation has compromised 1.6 million Android TV devices across 226 nations, leveraging advanced domain generation algorithms and cryptographic evasion techniques to create the largest known IoT threat since the 2016 Mirai attacks.
Dubbed Vo1d, this operation represents a paradigm shift in large-scale device hijacking through its multi-layered infrastructure and novel ASR-XXTEA encryption variant.
The campaign began on November 28, 2024, when researchers detected IP 38.46.218.36 distributing the jddx ELF loader using Bigpanzi-style string obfuscation.
.png
)
Three-Stage Payload Delivery System
Loader Components: Initial downloaders like s63 establish TLS 1.3 connections to hardcoded C2s (ssl8rrs2.com:55600) using RSA-2048/OAEP padding for key exchange. Each session negotiates unique XXTEA-128 keys through:
Payload Obfuscation: Second-stage modules like ts01 employ arithmetic shift right (ASR) modifications to XXTEA. This thwarts standard decryption tools while maintaining backward compatibility.
Persistence Mechanisms: Final payloads deploy DexLoader APKs (MD5: 68ec86a761233798142a6f483995f7e9) masquerading as Google Play Services, using XML attribute spoofing.
Vo1d’s infrastructure employs 258 DGA seeds generating 21,120 domains across .com/.net/.top TLDs, with 32-character patterns like z{mask}2940637fafa.com.
“On December 8, 2024, while monitoring 135 million Bot IPs through a DGA C2 sinkhole, we noticed an unusually low infection count in China, only a few dozen cases despite the country’s vast number of Android TV devices”, reads XLab’s report.
Geopolitical Impact and Surge Patterns
Infection rates show alarming volatility in developing markets:
India:
- Feb 1: 3,901 active nodes
- Feb 23: 217,771 nodes (55x increase)
- Feb 25: 94,302 nodes (76% drop)
China:
- Dec 15: 47 active nodes
- Jan 18: 20,112 nodes after .com DGA registration
- Feb 25: 49,887 nodes
Researchers attribute these fluctuations to a “botnet leasing” model where criminal groups temporarily acquire device clusters for DDoS (≤5.6 Tbps) or proxy services.
ASR-XXTEA Detection Signatures:
Despite these efforts, 800,000+ devices remain active as of February 28, 2025, with new Mzmess plugins enabling:
- Residential proxy networks (p6332/p8232 payloads)
- Ad fraud through task.moyu88.xyz click injection
- Political disinformation via deepfake video injection
The HUD breach demonstrates Vo1d’s media manipulation capabilities, using forced AV sync protocols to override HDMI-CEC controls.
With 1.6 million devices capable of generating 1.2 petabits/sec of malicious traffic, the botnet represents an existential threat to CDN providers (Cloudflare, Akamai), broadcast infrastructure (ATSC 3.0 networks), and smart city IoT grids.
This evolving crisis underscores the urgent need for mandatory SBOM disclosures in IoT supply chains and international cooperation to dismantle the Vo1d infrastructure.
With infection rates growing exponentially in South Asia and MENA regions, the window for effective countermeasures is rapidly closing.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
