Introduction to the Vo1d Botnet

Cybersecurity researchers from Xlab have discovered a new variant of the Vo1d malicious botnet, which has grown to infect approximately 1.6 million devices across 226 countries.

The botnet's size varies from day to day, and while it peaked in mid-January 2025, it currently counts around 800,000 devices. The initial infection vector is unknown, but the majority of victims are located in Brazil, South Africa, Indonesia, Argentina, Thailand, and China.

Botnet Capabilities

The Vo1d botnet is being used as an anonymous proxy, redirecting criminal traffic and blending it with legitimate consumer traffic. It comes with advanced encryption, strong infrastructure powered by DGA, and state-of-the-art obfuscation techniques.

The botnet can be used for various malicious activities, including Distributed Denial of Service (DDoS) attacks, residential proxies, ad manipulation, and more.

Impact on Android TV Devices

Android TV devices infected with the Vo1d botnet will behave unusually, displaying symptoms such as sluggish performance, random ads, and frequent crashes. To clean up the device, users should check their installed apps, remove anything unfamiliar or suspicious, scan with Google Play Protect, monitor their network's activity, and ultimately perform a factory reset if needed.

Google's Response

A Google spokesperson warned about Android devices outside Play Protect, stating that these off-brand devices discovered to be infected were not Play Protect certified Android devices. Google doesn't have a record of security and compatibility test results for these devices.

Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help users confirm whether a device is built with Android TV OS and Play Protect certified, Google's Android TV website provides the most up-to-date list of partners.