Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.
Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.
Dozens of variants
Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.
“At the moment, the source of the TV boxes’ backdoor infection remains unknown,” Thursday’s post stated. “One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”
The following device models infected by Vo1d are:
TV box model
Declared firmware version
R4
Android 7.1.2; R4 Build/NHG47K
TV BOX
Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP
Android 10.1; KJ-SMART4KVIP Build/NHG47K
One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What’s more, Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.
Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.
“These off-brand devices discovered to be infected were not Play Protect certified Android devices,” Google said in a statement. “If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”
The statement said people can confirm a device runs Android TV OS by checking this link and following the steps listed here.
Doctor Web said that there are dozens of Vo1d variants that use different code and plant malware in slightly different storage areas, but that all achieve the same end result of connecting to an attacker-controlled server and installing a final component that can install additional malware when instructed. VirusTotal shows that most of the Vo1d variants were first uploaded to the malware identification site several months ago.
Researchers wrote:
All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:
install-recovery.sh
daemonsu
In addition, 4 new files emerged in its file system:
/system/xbin/vo1d
/system/xbin/wd
/system/bin/debuggerd
/system/bin/debuggerd_real
The vo1d and wd files are the components of the Android.Vo1d trojan that we discovered.
The trojan’s authors probably tried to disguise one if its components as the system program /system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter “l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover, this spelling is consonant with the English word “void”.
The install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). Android.Vo1d has registered the autostart for the wd component in this file.
The modified install-recovery.sh file
Doctor Web
The daemonsu file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. Android.Vo1d registered itself in this file, too, having also set up autostart for the wd module.
The debuggerd file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the wd component.
The debuggerd_real file in the case we are reviewing is a copy of the script that was used to substitute the real debuggerd file. Doctor Web experts believe that the trojan’s authors intended the original debuggerd to be moved into debuggerd_real to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real debuggerd program file.
At the same time, other users who contacted us had a slightly different list of files on their infected devices:
debuggerd_real (the original file of the debuggerd tool);
install-recovery.sh (a script that loads objects specified in it).
An analysis of all the aforementioned files showed that in order to anchor Android.Vo1d in the system, its authors used at least three different methods: modification of the install-recovery.sh and daemonsu files and substitution of the debuggerd program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto launch during subsequent device reboots.
Android.Vo1d’s main functionality is concealed in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) components, which operate in tandem. The Android.Vo1d.1 module is responsible for Android.Vo1d.3’s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&C server. In turn, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.
The geographic distribution of the infections is wide, with the biggest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.
Enlarge/ A world map listing the number of infections found in various countries.
Doctor Web
It’s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise here.
Enlarge/ This isn’t what the first PlaytronOS-powered device will look like. That could be your Steam Deck, a 5G device from your cell carrier, or maybe your car.
Playtron
The Steam Deck’s OS is purpose-built for handheld gaming, but it’s confined to one device, unless you’re willing to head out to the bleeding edge. Beyond SteamOS, there is Windows, which can let down ambitious Deck-likes, there is the Nintendo Switch, and there are Android-based devices that are a lot like Android phones. This setup has got at least one company saying, in infomercial tones, that there has got to be a better way.
That company is Playtron, a new software startup that aims to fix that setup with a Linux-based gaming OS that’s tied to no particular game store or platform. Playtron has $10 million, coders from open source projects like ChimeraOS and Heroic Games Launcher, and the former CEO of Cyanogen. With that, it aims to have “Playtron-native devices shipping worldwide in 2025,” and to capture the 1 billion “core casual” gamers they see as under-served.
Demo of Playtron running on a Lenovo Legion Go, uploaded by Playtron CEO Kirk McMaster.
What devices will Playtron use to serve them? Some of them might be Steam Decks, as you will “soon be able to install Playtron on your favorite handheld PC,” according to Playtron’s ambitious, somewhat scattershot single-page website. Some might be “Playtron-powered 5G devices coming soon to markets around the world.” Really, though, Playtron aims to provide a gaming platform to any device with a CPU and a screen, be it desktop or mobile, ARM or x86, TV or car.
I have looked at this Venn diagram for long stretches and have still not figured out if the target is someone who is deeply into gaming or turned off by having to choose a platform or both or neither.
Playtron
Additional mock-ups of hypothetical Playtron devices from Playtron’s website or possibly just Playtron logos on existing devices.
Playtron
Sean Hollister at The Verge spoke with Playtron CEO Kirk McMaster. He has also viewed internal planning documents and tried out an alpha of the OS. McMaster told Hollister that handheld-maker Ayaneo plans to ship a Playtron device in 2024, while “numerous OEMs and mobile operators” are looking at 2025. Playtron aims to compete with Windows on price ($10 instead of what McMaster cites as $80 per head), and against Steam with a non-Steam platform that, McMaster claims, will still prevent cheating with a Fedora-Silverblue-based immutable file system. There are also some mentions of AI tools for helping casual gamers or determining launch configurations for games. Also, there are crypto-focused investors and a mention of offering crypto-based game purchases, though Playtron may also not have a store at all.
Another notable thing Playtron has is McMaster, the former head of Cyanogen Inc. That project launched in 2013 with $7 million in venture funding and an ambition to turn the free and open source-minded Android ROM community, CyanogenMod, into a for-profit OS and apps vendor. Google reportedly tried to buy Cyanogen Inc. at some point in 2014 but was turned away, as the company saw itself as growing. By the end of 2016, Cyanogen Inc. was shut down, and the Android ROM community reorganized around LineageOS. Ars’ 2016 “Deathwatch” cited McMaster’s “delusions of grandeur,” noting his claimed desire to “put a bullet in Google’s head” while maintaining an OS that was almost entirely dependent on Google’s open source Android code.
McMaster told The Verge’s Hollister that, from his time at Cyanogen Inc., he “learned that you shouldn’t try to commercialize an open-source project with a significant history because it can lead to culture wars.” There are strong hints that Playtron will not be entirely open source, though it will encourage the Linux coders it has hired to continue contributing to projects like ChimeraOS.
