Researchers find a new variant of the Vo1d botnet

It seems to be designed to be an anonymous proxy

At peak, it counted almost 1.6 million devices

If you are an Android TV user, take note - there is a new and dangerous botnet infecting endpoints left and right.

Cybersecurity researchers from Xlab have started tracking a new variant of the Vo1d malicious botnet which, in a span of just a couple of months, grew to roughly 1.6 million devices across 226 countries. The botnet’s size varies from day to day, and while it peaked in mid-January 2025, it currently counts around 800,000 devices, the researchers said.

The initial infection vector is unknown at the current time, but the majority of the victims are located in Brazil (25%), followed by South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%) and China (3.1%).

Botnet for hire

A botnet can be used for many things, including Distributed Denial of Service (DDoS) attacks, residential proxies, ad manipulation, and more. In this case, Vo1d is being used as an anonymous proxy, redirecting criminal traffic and blending it in with legitimate, consumer traffic. It comes with advanced encryption, strong infrastructure powered by DGA, and state-of-the-art obfuscation techniques.

Since the number of infected devices varies greatly from day to day, the researchers believe the criminals are “renting” devices as proxy servers.

“We speculate that the phenomenon of "rapid surges followed by sharp declines" may be attributed to Vo1d leasing its botnet infrastructure in specific regions to other groups,” they said. So, during days when Vo1d had significantly fewer bots, they probably just “gave” the devices to someone else to use.

Android TV devices infected with malware will behave unusually. They will be sluggish, they will randomly display ads, or frequently crash seemingly without cause. To clean up the device, users should check their installed apps and remove anything unfamiliar or suspicious; scan with Google Play Protect, monitor their network’s activity and ultimately, if needed, perform a factory reset.

Via BleepingComputer