A new version of the Vo1d malware botnet has infected over 1.59 million Android TV devices in 226 countries, according to cybersecurity researchers at Xlab.
The botnet, which recruits compromised devices into anonymous proxy server networks, peaked on January 14, 2025, and currently has around 800,000 active bots.
First detected in September 2024 by Dr. Web antivirus, Vo1d initially compromised 1.3 million devices. However, the latest findings indicate that the botnet has evolved, using stronger encryption, domain generation algorithms (DGA), and improved stealth capabilities to avoid detection. Nearly 25% of the infections are in Brazil, followed by South Africa, Indonesia, Argentina, Thailand, and China. Some regions, like India, saw rapid infection spikes, with bot count jumping from 3,900 to 217,000 in just three days. Researchers speculate that Vo1d operators may be “renting” infected devices for illegal activities and then returning them to the main network.
The Vo1d botnet turns infected devices into proxy servers, hiding cybercriminal activities behind legitimate internet traffic. It is also used for ad fraud, faking clicks and video views to generate revenue. The malware employs advanced encryption to protect its command and control (C2) infrastructure, making it difficult for security experts to disrupt its operations.
With the infection method still unknown, experts recommend buying Android TV devices from reputable sellers, keeping firmware updated, avoiding third-party apps, and disabling remote access when not needed. Isolating smart devices from sensitive data on home networks can further reduce security risks.
