News

Experts discovered a botnet that exploits ADB and SSH for infecting Android devices

Trend Micro experts discovered a new botnet, attacking mobile devices through the open debug ports of the Android Debug Bridge (ADB), as well as using SSH and the list of known_hosts.

Although ADB is disabled by default on most Android devices, some gadgets still sold with enabled ADB (most often on port 5555).

“This attack takes advantage of the way open ADB ports don’t have authentication by default”, — report Trend Micro experts.

As a result, unauthenticated attackers are able to remotely connect to a vulnerable device and get access to ADB command shell, which is usually used to install and debug applications.

Recalling, experts have previously found similar botnets Trinity, Fbot and ADB.Miner, which also abused ADB functionality.

Now Trend Micro researchers are writing that the new mobile botnet has already spread to 21 countries around the world, but the majority of affected users are from South Korea.

Infection chain of the attack

During the first phase of the attack, malware connects to devices on which ADB is available, and changes working directory to data/local/tmp. Next, malware will check if it has got into a controlled environment and whether security experts are studying it. If everything is in order, malware downloads payload using wget or curl.

Payload in this case is one of the three miners, which malware selects based on who is the manufacturer of the system, which architecture is used in it, the type of processor and what hardware. Moreover, in order to optimize the mining activity, the malware also “pumps” the memory of the victim machine, including HugePages.

Worse, the malware has the potential of a worm and spreads via SSH. That is, any system that connected to the original victim system via SSH was likely saved as a “known device”.

“Being a “known device” means that system can communicate with the other system without any further authentication after the initial key exchange, i.e., each system considered to be safe. Presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections”, – reported in Trend Micro.

Conclusion and security recommendations by Trend Micro:

Although ADB is a useful feature for administrators and developers, it is important to remember that an enabled ADB might expose the device and those connected to it to threats.

Users can also follow other best practices for defending against illicit cryptocurrency-mining activities and botnets, such as:

  • Checking and changing default settings when necessary to increase security
  • Updating device firmware and applying available patches
  • Being aware of methods attackers use to spread these types of malware and tailoring defenses against them

Source: https://blog.trendmicro.com

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Himalayaview.top Pop-up Ads

About Himalayaview.top Himalayaview.top pop-ups can not launch out of the blue. If you have actually…

9 hours ago

Remove Youdilgad.top Pop-up Ads

About Youdilgad.top Youdilgad.top pop-ups can not expose out of the blue. If you have clicked…

9 hours ago

Remove Alkads.com Pop-up Ads

About Alkads.com Alkads.com pop-ups can not launch out of the blue. If you have clicked…

9 hours ago

Remove Bigamirt.xyz Pop-up Ads

About Bigamirt.xyz Bigamirt.xyz pop-ups can not launch out of nowhere. If you have clicked some…

9 hours ago

Remove Micorban.xyz Pop-up Ads

About Micorban.xyz Micorban.xyz pop-ups can not open out of the blue. If you have actually…

9 hours ago

Remove Msdefender.co.in Pop-up Ads

About Msdefender.co.in Msdefender.co.in pop-ups can not expose out of the blue. If you have actually…

2 days ago