A newly identified Android malware family has infected roughly 1.3 million TV boxes that are running older versions of the mobile operating system, Doctor Web warns.

The malware, dubbed Vo1d, is a backdoor that can fetch and install additional software, based on commands received from its command-and-control (C&C) server.

The threat, Doctor Web discovered, drops its components in the system storage area, posing as legitimate OS components, and uses at least three methods to anchor itself to the system and ensure that it launches automatically when the device reboots.

Vo1d was seen leveraging its ability to write to the system directory to hook itself into an Android script that is executed at operating system launch, and which automatically runs specified components.

Additionally, the malware registers itself to a file responsible for providing root privileges, also with an autostart component, and replaces a daemon typically used to create reports on system errors with a script that launches a malicious component.

According to Doctor Web, one of the analyzed devices only contained the malicious script, likely because it was infected twice and the second infection completely removed the legitimate daemon file, thus breaking the error logging feature.

The backdoor’s main functionality is controlled by two separate components, one of which launches and oversees the other’s activity, restarting it if necessary, and can download and execute additional payloads if instructed by the C&C.

The second module installs and runs a daemon also capable of fetching and executing payloads, and monitors specified directories to install APKs found in them.

According to Doctor Web, Vo1d has infected roughly 1.3 million devices in 197 countries, with Brazil being affected the most. Numerous infections were also seen in Algeria, Argentina, Ecuador, Indonesia, Malaysia, Morocco, Pakistan, Russia, Saudi Arabia, and Tunisia.

The cybersecurity firm notes that Vo1d likely targets Android-based boxes due to their use of older Android versions that contain unpatched vulnerabilities, such as Android 7.1, 10, and 12.

Such vulnerable devices remain in use either because manufacturers chose not to use newer platform iterations, or because users may believe that TV boxes are not as exposed as other Android devices and may fail to install security software on them.

“The source of the TV boxes’ backdoor infection remains unknown. One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access,” Doctor Web notes.

SecurityWeek has contacted Google for a statement on the Vo1d malware and will update this article as soon as a reply arrives.

Related: BingoMod Android RAT Wipes Devices After Stealing Money

Related: Many Android Apps Expose Users to Attacks Due to Failure to Patch Google Library

Related: Advanced Android Spyware Remained Hidden for Two Years

Related: Android Malware Targets North Korean Deflectors