The Vo1d malware botnet found on 1.3 million devices back in September 2024 has grown significantly. According to a report from Xlab, a new variant has infected an additional 1.6 million Android TVs across 226 countries
That makes Vo1d one of the largest botnets seen in recent years, surpassing both Bigpanzi and even Mirai.
As of Februrary 2025, the largest sections of infected devices were seen in Brazil (25%), South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%) and Thailand (3.4%).
The botnet, which has been compromising devices via an unknown vector, has apparently been recruiting new Android TV boxes as part of anonymous proxy server networks and has evolved with advanced encryption (RSA + custom XXTEA), resilient DGA-powered infrastructure and enhanced stealth capabilities.
Not only is Vo1d one of the largest botnets seen in recent years, far exceeding other sizable infections but it also sees fluctuations and surges that suggest that operators may be renting the infected devices as proxy servers.
Notable surges, like one which occurred in India that varied from 3,900 to 217,000 bots in a matter of days, indicate that the devices are likely being used in a kind of “rental-return cycle.”
According to Xlab, in such a pattern, the bots are diverted from the main Vo1d network to service a lessee’s directives, which would cause a sudden drop in the overall Vo1d infection count. Then, when the lease period ends and the bots return to the network, a spike is seen in the infection count as the bots again become active and under Vo1d’s control.
What is the Vo1d botnet?
A malware tool, the Vo1d botnet can compromise Android TV boxes as well as PCs and turn them into proxy servers so that they can help the hackers behind it facilitate malicious or illegal operations.
The infected systems that become part of the botnet’s network can relay traffic for the hackers, which shields their activity and is basically camouflaged with other network traffic. This means the hackers controlling the bot network can bypass regional restrictions, security filters or protections that have been hindering their fraudulent, malicious or illegal activities.
Vo1d can also fake user interactions via plugins that automate ad interactions and simulate human-like browsing behavior to fake clicks on ads or views on video platforms to commit ad fraud and generate revenue for fraudulent advertisers.
How to stay safe from the Vo1d botnet
Since the infection chain remains unknown, the recommendations are to follow a “holistic approach” meaning to sidestep the threat at its source. This means you'll want to stick to buying streaming devices devices only from reputable vendors. Resellers and retailers who are trustworthy minimize your likelihood of a device arriving pre-loaded with malware.
A Google spokesperson commented to Bleeping Computer: “These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results.
“Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”
Additionally, users should always make sure to keep their firmware up to date and install the latest security patches as soon as they become available. Likewise, you want to avoid sideloading apps and stick to only using apps from the Google Play Store and other official ap stores. Android TV devices can also have their remote access features disabled when not in use, which takes them offline. This can provide an extra layer of security to protect your devices and your data.
It might also be worth investing in one of the best Wi-Fi routers or the best mesh Wi-Fi systems with security software built-in. While the best antivirus software can keep your PC safe from malware, network-wide security solutions like Netgear's Armor or TP-Link's HomeShield protect all of the devices connected to your home network from viruses and other threats.
Televisions, like any smart home device, need to be protected with strong passwords and smart security practices as they’re susceptible to being hacked like any other Wi-Fi connected device. If you want our recommendations for best Android TV device, we like the Nvidia Shield even if it is now several years old at this point.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
