Despite efforts to make Android devices more secure, it seems there’s always a loophole for malware. This time the threat is a miner that utilizes the Android Debug Bridge (ADB). Security researchers from 360netlab said it is a cryptocurrency mining malware that can replicate itself over port 5555 on any android devices which have an open ADB port. Its replication speed is fast in that it doubles about every 12hours.
Infection
The malware was traced to its earliest infection which dated back to 31st January this year. Its estimated that ADB.Miner has infected up to over 5000 devices mainly in South Korea and China. According to the research team, the infection occurs through port 5555 which once a device is infected; the malware continues to scan the port for further propagation. This port is usually closed but may be opened accidentally when the ADB debug tool conducts diagnostic tests. “Overall, we believe malicious code based on the Android system ADB debug interface is now actively spreading in worms and infected over 5,000 devices in 24 hours,” the team says. “Affected devices are actively trying to deliver malicious code” news stats show that the Infections have stabilized after reaching a peak of 7,000 devices. The security research team has also ruled out the possibility of port 5555 being remotely opened. It also appears that the propagation is based and implemented through the Coin hive mining software via a droidbot a mining.apk.
At the moment, every device which uses the Android is at risk but mostly this malware targets smartphones, tablets, and Android smart TVs. The company is scant on the infection details and the affected models to avoid copycats and further attacks. But according to an analysis, the malware contains some of Mirai’s botnet code in its scanning module. Mirai is a botnet which targeted vulnerable Internet of Things and conducted distributed denial-of-service (DDoS) attacks on the devices.
ADB.Miner
ADB.Miner is a strain of malware which contains mining code that mainly focuses on a specific cryptocurrency; Monero(XMR). Despite using different mining pools which share the same wallet address, ADB.Miner doesn’t deposit spoils from fraudulent mining activities in the wallet addresses. With this trick, it’s hard to locate the attackers/creators of the miner.
Given that everybody is becoming cyber aware, cybercriminals are now using malware that doesn’t pose great harm such as data breach, loss of files but targets your device resources such as CPU performance for their fraudulent activities. Cisco Talos reported that cyber attackers are now turning away from ransomware for this new scheme which is harder to detect.
In relation to ADB.Miner, Satori is another Mirai based malware that was spotted recently targeting Ethereum. It scans for devices through port 3333 using its tailored version known as Satori.Coin.Robber.
Sample Analysis
The team captured 9 samples and after analyzing them, it was found that their core functions are worm-like propagation and mining. The following were the team’s findings, “
- Worm infection: the Infected device will initiate a port scan on TCP 5555 adb interface, and attempt to execute ADB command to copy itself to newly infected machines.
- XMR Mining: It will dig XMR tokens after infection.
In addition, this worm borrows code from Mirai’s syn scanning module for efficiency.”
Measures to take
Its easier to avoid Android malware by following simple protection mechanisms. Last year, it was found that most Android malware was delivered through downloading compromised apk files. Most of these files are found in third-party stores which offer premium apk files for free.
Due to increased infections, Google developed Google Play protect, a mechanism in android which scans your downloaded apps, installed apps and other files to ensure that they are not compromised, if they are, this mechanism may inform you or may get rid of the threat depending on its severity. To be on the safe side, install apps from the play store only. Google continuously cleans up the store thus removing any app which may contain any malicious intent.
Also, avoid insecure public networks such as WIFI hotspots. Attackers may hijack a network and deliver the payload to your device as soon as you connect as it was in the Starbucks’s case. If you still wish to connect to these WIFI hotspots, ensure you connect through a reputable VPN.