A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks.

This is according to an investigation by Xlab, which has been tracking the new campaign since last November, reporting that the botnet peaked on January 14, 2025, and currently has 800,000 active bots.

In September 2024, Dr. Web antivirus researchers found 1.3 million devices across 200 countries compromised by Vo1d malware via an unknown infection vector.

XLab’s recent report indicates that the new version of the Vo1d botnet continues its operations on a larger scale, not deterred by the previous exposure.

Moreover, the researchers underline that the botnet has evolved with advanced encryption (RSA + custom XXTEA), resilient DGA-powered infrastructure, and enhanced stealth capabilities.

Massive botnet size

The Vo1d botnet is one of the largest seen in recent years, surpassing Bigpanzi, the original Mirai operation, and the botnet responsible for a record-breaking 5.6 Tbps DDoS attack handled by Cloudflare last year.

As of February 2025, nearly 25% of the infections impact Brazilian users, followed by devices in South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%), and China (3.1%).

The researchers report that the botnet has had notable infection surges, like going from 3,900 to 217,000 bots in India within just three days.

The largest fluctuations suggest that the botnet operators may be “renting” devices as proxy servers, which are commonly used to conduct further illegal activity or botting.

The scale of its command and control (C2) infrastructure is also impressive, with the operation using 32 domain generation algorithm (DGA) seeds to produce over 21,000 C2 domains.

C2 communication is protected by a 2048-bit RSA key, so even if researchers identify and register a C2 domain, they are not able to issue commands to the bots.

Vo1d capabilities

The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices into proxy servers to facilitate illegal operations.

Infected devices relay malicious traffic for the cybercriminals, hiding the origin of their activity and blending in with residential network traffic. This also helps the threat actors bypass regional restrictions, security filtering, and other protections.

Another function of Vo1d is ad fraud, faking user interactions by simulating clicks on ads or views on video platforms to generate revenue for fraudulent advertisers.

The malware has specific plugins that automate ad interactions and simulate human-like browsing behavior, as well as the Mzmess SDK, which distributes fraud tasks to different bots.

Given that the infection chain remains unknown, it is recommended that Android TV users follow a holistic security approach to mitigate the Vo1d threat.

The first step is buying devices from reputable vendors and trustworthy resellers to minimize the likelihood of malware being pre-loaded from the factory or while in transit.

Secondly, it’s crucially important to install firmware and security updates that close gaps that may be leveraged for remote infections.

Thirdly, users should avoid downloading apps outside of Google Play or third-party firmware images that promise extended and “unlocked” functionality.

Android TV devices should have their remote access features disabled if not needed, while taking them offline when not used is also an effective strategy. 

Ultimately, IoT devices should be isolated from valuable devices that hold sensitive data on the network level.