Android Mining Botnet Infects Thousands of Devices

In 2017, ransomware was the top cybersecurity threat, but in 2018, the focus of cybercriminals has clearly shifted to cryptocurrency and related activities. Attackers are increasingly engaging in cryptojacking (mining cryptocurrency through users’ browsers), and large botnets are being repurposed to spread mining malware or manipulate exchange rates. Scammers are also exploiting ICOs of various blockchain startups or swapping out cryptocurrency wallet addresses in the clipboard or during connection stages, especially on the dark web.

Now, analysts at Qihoo 360 Network Security Research Lab have reported the emergence of a new mining botnet made up of Android devices, which is growing rapidly.

How the Botnet Spreads

Researchers explain that attackers are scanning networks for devices with open ADB (Android Debug Bridge) ports, most commonly port 5555. Since Android runs not only on smartphones and tablets but also on smart TVs and various TV boxes, these devices are also at risk of infection.

The malware, identified as ADB.miner, spreads like a worm. Researchers note that the botnet is highly aggressive and expanding quickly, with the number of scans doubling every 12 hours. According to experts, the botnet began operating on January 21, 2018, but its activity surged over the weekend of February 3, 2018.

Scale and Impact

Currently, scans are originating from 7,400 unique IP addresses, and port 5555 has become the fourth most commonly targeted port (it wasn’t even in the top 10 recently), according to Qihoo 360 Network Security Research Lab statistics. Researchers estimate that between 2,700 and 5,500 devices are currently infected, with most located in China (40%) and South Korea (31%).

Technical Details

Experts report that the creators of ADB.miner borrowed several ideas and some source code from the IoT malware Mirai, particularly the method of continuously scanning for vulnerable devices. While the researchers do not specify which vulnerabilities are being exploited to compromise Android devices, they note that the issue is not limited to any specific manufacturer. The problem appears to be with the ADB component itself. On most devices, the ADB port is closed by default, but in practice, there are many exceptions to this rule.

Currently, the developers of ADB.miner are mining Monero cryptocurrency on two different pools, but in both cases, they use the same wallet for payouts, which so far remains empty.