HQ/EMEAFind out how we can help your business
The Vo1d malware botnet has infected more than 1.5 million Android TV devices globally, making it one of the largest botnet operations seen in recent years. According to researchers, the Vo1d malware botnet peaked in January 2025 with nearly 1.6 million compromised devices across 226 countries, and around 800,000 of these remain active today.
Originally detected in September 2024, the Vo1d malware botnet was found on over 1.3 million devices across 200 countries.
Despite being exposed, the botnet has evolved with enhanced encryption techniques, improved stealth mechanisms, and a resilient infrastructure powered by a domain generation algorithm (DGA). These upgrades have made the botnet even more difficult for security experts to disrupt.
The infection rates vary across regions, with Brazil experiencing the highest number of compromised devices, accounting for 25% of infections. South Africa follows with 13.6%, while Indonesia, Argentina, Thailand, and China also report significant infection numbers. One particularly alarming incident occurred in India, where infections surged from 3,900 devices to over 217,000 within only three days.
Researchers believe that part of the botnet’s rapid growth and fluctuation is due to its leasing model, where infected devices are temporarily rented out as anonymous proxy servers to other cybercriminal groups. Once these leasing periods end, the devices return to the main Vo1d malware botnet, causing infection counts to spike again.
The botnet’s infrastructure is vast, using 32 DGA seeds to generate over 21,000 potential command and control (C2) domains. These domains are secured with 2048-bit RSA encryption, ensuring that even if researchers manage to seize a C2 domain, they are unable to issue commands to the infected devices.
The botnet serves multiple purposes, with compromised Android TVs acting as proxies to relay malicious traffic, hiding the origin of criminal activity. In addition, the botnet engages in ad fraud, using dedicated plugins to simulate fake clicks and video views, generating fraudulent advertising revenue.
To protect against the Vo1d malware botnet, Android TV users are advised to purchase devices only from reputable sellers, install firmware updates, avoid downloading apps from unofficial sources, disable remote access features, and isolate smart TVs from networks containing sensitive data.
With its expanding scale and advanced tactics, the Vo1d malware botnet presents an ongoing threat to smart TV users and the wider cybersecurity landscape.
