Android Botnet Targets Devices with Open Debug Ports
In mid-June 2018, well-known cybersecurity expert Kevin Beaumont once again drew attention to the fact that many Android smartphone manufacturers leave the Android Debug Bridge (ADB) functionality enabled by default, putting devices at risk, including remote attacks. The ADB over WiFi option allows developers to connect to a device via Wi-Fi without using a USB cable.
This issue is not new. Back in February 2018, analysts at Qihoo 360 Netlab discovered the ADB.miner malware, which scanned networks for devices with open ADB debug ports (most often port 5555). Since Android runs not only on smartphones and tablets but also on smart TVs and various TV boxes, these devices were also vulnerable to infection.
Just over a month ago, Beaumont found that many gadgets have ADB over WiFi enabled βout of the box,β and most owners are unaware of this. Since the Shodan search engine recently added the ability to search for devices with an accessible Android Debug Bridge interface, the number of indexed devices is rapidly increasing. In June, Beaumont found over 80,000 vulnerable devices in China alone.
New Wave of Attacks on Vulnerable Devices
Analysts at Trend Micro have now reported a new wave of attacks targeting vulnerable gadgets with open ADB ports. According to experts, this new wave of scans began on July 9-10, 2018, with most of the traffic originating from China and the United States. Starting July 15, Korean IP addresses also joined the attacks.
Researchers explain that after finding a vulnerable device, attackers use ADB to send a shell script, which then downloads another specialized shell script for the second stage of the attack. This script is responsible for launching malicious binaries in the third stage.
After successfully infecting a device, the malware terminates several processes that could threaten its operation and launches its own child processes, one of which allows it to spread further like a worm. The malware also connects to a command-and-control server at 95[.]215[.]62[.]169, an address previously linked to the Satori botnet.
According to Trend Micro analysts, the malwareβs payload is designed to organize DDoS attacks (using UDP, TCP SYN, TCP ACK, and so on). Given the connection between this malicious campaign and the Satori botnet, experts believe the same hacker or hacker group is behind both, and someone is building a new botnet.
Since the malware has worm-like capabilities, researchers suggest that more attacks may follow, and that attackers are currently just testing the effectiveness of their tools and new tactics.
How to Protect Your Devices
Trend Micro estimates that at least 48,000 devices are currently vulnerable to ADB port attacks. These include various multimedia gadgets, smart TVs, smartphones, and more. Researchers remind users that no password can protect against these attacks, so they recommend not exposing such devices directly to the internet. Instead, place them behind routers and firewalls for protection.