A new and highly sophisticated variant of the Vo1d malware botnet has compromised over 1.59 million Android TV devices across 226 countries, turning them into anonymous proxy nodes for cybercriminals.
According to cybersecurity firm Xlab, which has been tracking the botnet’s activity since November 2024, the infection surged to its peak on January 14, 2025, with 800,000 active bots still operating today.
A Growing Threat
The Vo1d botnet was first uncovered in September 2024 by Dr. Web researchers, who reported 1.3 million infected devices across 200 countries at the time. Despite that exposure, the malware has evolved, spreading on an even larger scale with new encryption techniques and stealth mechanisms that make it harder to detect and disrupt.
Xlab’s latest findings reveal that the botnet now utilizes advanced RSA encryption, a custom XXTEA algorithm, and a resilient domain generation algorithm (DGA) to sustain its operations.
Nominations are open for Honouring Women in Cyberspace on International Women’s Day 2025- Nominate Now!
One of the Largest Botnets in Recent History
Vo1d has rapidly grown into one of the largest botnets ever recorded, surpassing previous threats like Bigpanzi, the Mirai botnet, and the network responsible for the record-breaking 5.6 Tbps DDoS attack handled by Cloudflare in 2024.
The highest number of infections has been reported in:
- Brazil (25%)
- South Africa (13.6%)
- Indonesia (10.5%)
- Argentina (5.3%)
- Thailand (3.4%)
- China (3.1%)
In some regions, the malware’s expansion has been explosive—for instance, the number of infected devices in India skyrocketed from 3,900 to 217,000 in just three days.
Security analysts believe this rapid fluctuation could indicate that Vo1d operators are renting infected devices as proxy servers, commonly used for fraudulent activities, cyberattacks, and botnet-driven schemes.
Additionally, the botnet’s command-and-control (C2) infrastructure is highly sophisticated, leveraging 32 different DGA seeds to generate more than 21,000 C2 domains. Communication between infected devices and C2 servers is secured with 2048-bit RSA encryption, making it nearly impossible for researchers to hijack the network and issue counter-commands.
What Makes Vo1d So Dangerous?
Vo1d is a multi-functional cybercrime tool, primarily turning compromised Android TVs into proxy servers for hiding malicious traffic. This allows cybercriminals to:
- Evade security filters and bypass regional restrictions
- Conduct illegal online activities while appearing as legitimate users
- Manipulate online advertising through fraudulent clicks and views
The malware also includes specialized plugins that simulate human-like interactions, making it difficult for ad platforms to detect fraudulent activity. It even integrates the Mzmess SDK, which helps distribute fraudulent tasks across infected devices.
How to Protect Your Android TV from Vo1d
Since the exact infection method remains unknown, cybersecurity experts recommend taking proactive steps to minimize risk:
1. Buy Smart – Purchase Android TV devices only from trusted vendors and authorized resellers to reduce the chance of pre-installed malware.
2. Stay Updated– Regularly install firmware updates and security patches to fix vulnerabilities that hackers might exploit.
3. Be Cautious with Apps – Avoid downloading apps from outside the Google Play Store and refrain from installing unofficial firmware that promises extra features.
4. Disable Remote Access – If you don’t need remote access, turn it off to prevent unauthorized control of your device.
5. Use Network Isolation – Keep your IoT devices on a separate network from devices that store sensitive information.
6. Go Offline When Possible – If an Android TV isn’t in use, consider disconnecting it from the internet as an added security measure.
As botnets like Vo1d continue to evolve and expand, securing smart home devices is no longer optional—it’s essential. Cybercriminals are increasingly targeting IoT ecosystems, and staying vigilant is the best defense against emerging threats.