A new variant of the Vo1d botnet has now infected 1,590,299 Android TV devices in 226 countries. Criminals deploy the devices as part of anonymous proxy server networks.
This is according to a study by Xlab, which BleepingComputer has written about. According to the Xlab report, the botnet reached its peak on Jan. 14, 2025, with currently 800,000 active bots.
In September 2024, researchers from Dr. Web Antivirus found that 1.3 million devices in 200 countries were infected with Vo1d malware via an unknown infection mechanism. Xlab’s recent findings show that the botnet continued to evolve and remain active on a larger scale. This is despite previous disclosures.
The botnet now has advanced encryption (RSA + modified XXTEA), a robust infrastructure powered by DGA (Domain Generation Algorithm) and enhanced stealth capabilities.
The Vo1d botnet is among the largest in recent years, surpassing the likes of Bigpanzi, the original Mirai operation, and the botnet behind the record-breaking 5.6 Tbps DDoS attack that Cloudflare managed to neutralize last year.
Biggest impact in Brazil
As of February 2025, the botnet has the greatest impact in Brazil, where nearly 25% of infections occur. Other heavily affected countries include South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%) and China (3.1%). The researchers also saw rapid waves of infection, such as in India. There, the number of infected devices rose from 3,900 to 217,000 in just three days.
Researchers suspect that the rapid fluctuations in the number of infections indicate that Vo1d is renting out its botnet infrastructure to other criminal groups. This rent-back cycle may work as follows. During the rental phase, some of the bots are temporarily redirected to the operations of the renter. This causes a sudden drop in the infection count. Then, after the rental period ends, the bots return to the Vo1d network, leading to a sharp increase in infections.
Vo1d’s command and control (C2) network is extremely extensive and uses 32 DGA seeds, generating more than 21,000 C2 domains. In addition, communication with the infected devices is secured via a 2048-bit RSA key, which means that even if researchers discover and register a C2 domain, they cannot send commands to the bots.
Various cybercriminal activities
The Vo1d botnet is used for various cybercriminal activities. One important function is the creation of proxy networks, where infected devices act as anonymous proxies. This allows cybercriminals to disguise their illegal activities and bypass regional security filters.
In addition, criminals use the botnet for ad fraud. It simulates human interactions by clicking on ads. Or by watching videos. This is how it generates fraudulent ad revenue. The malware uses special plug-ins and the Mzmess SDK system, which distributes tasks for fraud to different bots.
Since the exact infection mechanism is still unknown, users are advised to take precautions to avoid infection. For example, it is important to purchase Android TV devices only from trusted vendors to avoid pre-installed malware.
In addition, it is essential to install firmware and security updates to close vulnerabilities. It is not recommended to download apps outside Google Play and use custom firmware that promises unlocked features.
Furthermore, it is wise to disable remote access when not needed and take devices offline when not in use. Finally, it helps to isolate network-level IoT devices from important devices with sensitive data.