Over the weekend, a new botnet has been discovered and it’s been targeting Android devices by scanning for debug ports that are open so it can infiltrate victims’ devices with a malware that mines the Monero cryto-currency.
On Saturday, February 3, 2018, the botnet was first discovered and was targeting port 5555 which is the port used by the operating system’s native Android Debug Bridge or ADBL on devices that are running the Android OS. ADBL is a debugging interface that grants access to some of the most sensitive features of the operating system.
According to security researchers from Qihoo 360’s Network Security Research Lab [NetLab] division, until now, only devices that are running the Android Os have been infected including smartphones, smart TVs and even TV top boxes. These security researchers were the ones who discovered the botnet which they referred to as “ADB.miner”.
The botnet was tremendously aggressive and has grown daily as it exhibits a worm-like behavior with infected devices scanning other devices over the internet for the next victims no wonder it has reached around 7,400 infected devices.
Yiming Gong, Director of the Network Security Research Lab at Qihoo 360 stated, “The number of scan [sources] has doubled every 12 [hours]. We will see how big this botnet gets.”
At the time of writing, there are over 7,400 unique IP addresses detected by Netlab that has ADB.miner scans based on the public data collected by the Scanmon system of Netlab.
Port 5555 has been shot to the #4 spot in Netlab’s most scanned ports as the scanning for this port has been so widespread courtesy of the Android malware. Before the monero-mining botnet, this port wasn’t even in the top 10 to begin with.
Based on the analysis made by security researchers from Netlab, most of the IP addresses that are scanning for other devices are located in China which is over 40% as well as South Korea with 30%. According to Yiming, the botnet has infected TV-related devices largely compared to smartphones.
ADB.miner also indicates the first time an Android malware strain has borrowed code from Mirai. Mirai is a strain of malware based on Linux that has only targeted networking previously as well as loT devices. According to Netlab, the ADB.miner malware used some of the port scanning code of the Mirai malware.
Even though the security researchers didn’t not provide any details with regards to the ADB vulnerability, which the attackers are taking advantage of, to take over devices they have clarified that they don’t think the bug is specific to any particular vendor. To simply put it, it means that the bug affects the core of the Android ADB component.
All the Android OS instances ship out with the ADB port disabled by default as the devices that are infected with the botnet are devices where users or vendors intervened and enabled the port 5555 by themselves. As of the moment, attackers did not cash out any of their mined Monero yet.