Researchers at cybersecurity firm XLab have discovered that a new variant of the massive botnet “Vo1d” has infected over 1.6 million Android TV devices across 200+ countries and regions, expanding its reach rapidly.
This development raises serious concerns about the security of Internet of Things (IoT) devices and their potential exploitation in large-scale cyberattacks.
“Imagine sitting on your couch watching TV when suddenly the screen flickers, the remote stops working, and the program is replaced by garbled code and eerie commands. Your TV, as if hijacked by an invisible force, becomes a “digital puppet.” This isn’t science fiction—it’s a real and growing threat. The Vo1d botnet is silently taking control of millions of Android TV devices worldwide,” XLab researchers wrote in a blog post on Thursday.
According to XLab researchers’ findings, the Vo1d malware, which primarily targets Android TVs and set-top boxes, currently has 800,000 active bots. The botnet peaked at 1,590,299 on January 14, 2025.
The Vo1d botnet exploits security flaws in low-cost Android TV boxes, many of which run outdated software.
Once infected, these devices are integrated into a botnet—a network of hijacked systems used for malicious activities such as distributed denial-of-service (DDoS) attacks, cryptocurrency mining, and data theft.
Notably, the malware operates stealthily, often without users noticing any immediate signs of infection.
However, affected devices may experience degraded device performance, unexpected pop-ups or unexpected network activity.
XLab’s analysis revealed that Vo1d employs sophisticated techniques to enhance its stealth, resilience, and anti-detection capabilities:
- Enhanced Encryption: The malware utilizes RSA encryption for network communications, preventing command and control (C2) takeover even if DGA domains are registered by researchers.
- Infrastructure Upgrade: Vo1d incorporates both hardcoded and domain generation algorithm (DGA)-based redirector C2s to improve flexibility and resilience.
- Payload Delivery Optimization: Each payload is delivered through a unique downloader, employing XXTEA encryption with RSA-protected keys, making analysis and detection harder.
The rapid proliferation of the Vo1d botnet underscores the vulnerabilities inherent in IoT devices, particularly those with outdated security measures.
While the Vo1d botnet is primarily designed for profit, its complete control over devices can enable attackers to carry out large-scale cyberattacks or other criminal activities.
For instance, the sheer scale of the Vo1d botnet surpasses previous threats like Bigpanzi, the original Mirai botnet, as well as 2024’s Cloudflare record-breaking 5.6 Tbps DDoS attack.
Compromised devices could be manipulated to broadcast unauthorized content, as evidenced by incidents where AI-generated footage was displayed on televisions without authorization.
As of February 2025, Brazil accounts for nearly 25% of the infections, followed by South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%), and China (3.1%).
To safeguard against such threats, Android TV and set-top box users can take preventive measures such as ensuring that their devices are running the latest software, downloading applications only from trusted sources to minimize the risk of malware infection, replacing default passwords with strong, unique ones to enhance device security, and keeping an eye on network activity for unusual data usage patterns that may indicate a compromised device.
