Vo1d

Vo1d is a large-scale Android malware/botnet family targeting Android TV devices, unofficial Android-based TV boxes, and related streaming/media devices. Public reporting first disclosed the botnet in September 2024, and later research tracked roughly 1.6 million infected devices across 226 countries, with other reporting citing multi-million-scale activity and peaks above 1.59 million active infected Android TVs. The infection vector was initially undetermined, but Vo1d has repeatedly been associated with preinstalled or supply-chain style compromise on low-cost Android TV hardware, and related research also linked Vo1d artifacts to malicious payload delivery on Uhale-based digital picture frames.

Vo1d is modular and has been tied to a plugin/component called Popa, which functions as a residential-proxy/proxyware module. Popa registers infected devices, maintains long-lived encrypted connections, and opens communication tunnels on demand, effectively turning compromised devices into residential proxy exit nodes. XLab reported that Popa used at least nine hardcoded C2 domains, including gmslb[.]net, and Nokia Deepfield later concluded that Vo1d’s Popa plugin, RoboVPN’s bundled Neunative SDK, and Popanet samples were different clients for the same proxy backend. Reported Popa-related control or relay domains include gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io. Researchers reported that this proxy infrastructure has been used for advertising fraud, account takeovers, mass scraping, and potentially access into local networks.

XLab documented a newer Vo1d campaign involving a downloader variant identified as jddx, described as a previously undiscovered Vo1d downloader delivering fresh Vo1d payloads. The campaign used expanded DGA infrastructure, Redirector C2s, multi-domain and multi-port C2 design, and RSA-protected communications to resist takeover. Technical reporting states that Vo1d uses XXTEA plus RSA-wrapped keys, and introduced a modified XXTEA variant referred to as asr_xxtea. XLab identified infrastructure including 21 C2 domains, 258 DGA seeds, and more than 100,000 DGA domains, with core infrastructure including IPs 3.146.93[.]253 and 3.132.75[.]97 and domains such as ssl8rrs2.com, ttss442, and works883. One reported downloader sample was s63 with MD5 9e116f9ad2ff072f02aa2ebd671582a5.

Vo1d has been associated with monetization through proxy services and ad-fraud/fake traffic. Reporting also links it to broader Android botnet ecosystems including Triada, BADBOX, and Keenadu. Kaspersky noted that the domain g.sxim[.]me was used both by a Triada module and by a Vo1d backdoor module, suggesting possible infrastructure overlap. Additional reporting described code, infrastructure, or payload-delivery similarities among Keenadu, Triada, BADBOX, and Vo1d, but did not establish them as the same operation.

Known indicators and artifacts directly mentioned in the reporting include domains gmslb[.]net, safernetwork[.]io, tera-home[.]com, ninjatech[.]io, g.sxim[.]me, ssl8rrs2.com, ttss442, works883, and IPs 3.146.93[.]253, 3.132.75[.]97, and 38.46.218.36. Vo1d-related activity has also been linked to package prefixes, string names, endpoints, and artifact locations observed in malicious Android payloads on other device classes.