NEW ANDROID BOTNET —

In just 24 hours, 5,000 Android devices are conscripted into mining botnet

Worm-like infection targets devices that have seldom-used port 5555 open.

Dan Goodin - Feb 5, 2018 8:10 pm UTC

In just 24 hours, 5,000 Android devices are conscripted into mining botnet — Enlarge
Google

A fast-moving botnet that appeared over the weekend has already infected thousands of Android devices with potentially destructive malware that mines digital coins on behalf of the unknown attackers, researchers said.

The previously unseen malware driving the botnet has worm-like capabilities that allow it to spread with little or no user interaction required, researchers with Chinese security firm Netlab wrote in a blog post published Sunday. Once infected, Android phones and TV boxes scan networks for other devices that have Internet port 5555 open. Port 5555 is normally closed, but a developer tool known as the Android Debug Bridge opens the port to perform a series of diagnostic tests. Netlab's laboratory was scanned by infected devices from 2,750 unique IPs in the first 24 hours the botnet became active, a figure that led researchers to conclude that the malware is extremely fast moving.

"Overall, we think there is a new and active worm targeting Android systems' ADB debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours," Netlab researchers wrote. "Those infected devices are actively trying to spread malicious code."

The researchers said they were withholding some information about the devices that are getting infected, presumably to make it harder for copycat attackers to exploit the same underlying weakness or vulnerability.

Promoted Comments

sprockkets Ars Legatus Legionis

jump to post

TomXP411 wrote:
Masaaki2 wrote:
Nice technology. Explain about the device

There is no device. This is malware that theoretically spreads to anything running Android: smartphones, TV boxes, smart TV, even potentially your refrigerator, if it's one of the "smart" variety.

It sounds like you'll be safe if you leave the debugging tools turned off, but it's still frustrating, because as a software developer, I tend to turn on the debug tools on my Android hardware. Now this means I'll have to use an isolated network when developing and testing software on smart devices.

There is debug tools, then adb. Now if it takes advantage of a vulnerability in adb that's one thing, but it looks like it infects something listening on port 5555.

Besides, when's the last time you just auth an adb request out off nowhere?

13550 posts | registered 8/12/2005
TomXP411 Ars Praefectus

jump to post

sprockkets wrote:
show nested quotes
Masaaki2 wrote:
Nice technology. Explain about the device

There is no device. This is malware that theoretically spreads to anything running Android: smartphones, TV boxes, smart TV, even potentially your refrigerator, if it's one of the "smart" variety.

It sounds like you'll be safe if you leave the debugging tools turned off, but it's still frustrating, because as a software developer, I tend to turn on the debug tools on my Android hardware. Now this means I'll have to use an isolated network when developing and testing software on smart devices.

There is debug tools, then adb. Now if it takes advantage of a vulnerability in adb that's one thing, but it looks like it infects something listening on port 5555.

Besides, when's the last time you just auth an adb request out off nowhere?

ADB is also called the "Android Debug Bridge", and is the (as the name suggests) bridge between debug tools running on the device and a desktop computer running an IDE or debug console. Turning on debug tools is generally how you enable ADB on a device; so turning debug tools off should turn off ADB on the device.

I haven't actually tried probing 5555 on any devices, however, so I suppose it's possible that some devices will respond to the port even with debugging tools turned off. However, if debugging is turned on, infecting a device is trivial - since that's ADB's job.

7515 posts | registered 9/1/2010

Promoted Comments

sprockkets Ars Legatus Legionis

jump to post

TomXP411 wrote:
Masaaki2 wrote:
Nice technology. Explain about the device

There is no device. This is malware that theoretically spreads to anything running Android: smartphones, TV boxes, smart TV, even potentially your refrigerator, if it's one of the "smart" variety.

It sounds like you'll be safe if you leave the debugging tools turned off, but it's still frustrating, because as a software developer, I tend to turn on the debug tools on my Android hardware. Now this means I'll have to use an isolated network when developing and testing software on smart devices.

There is debug tools, then adb. Now if it takes advantage of a vulnerability in adb that's one thing, but it looks like it infects something listening on port 5555.

Besides, when's the last time you just auth an adb request out off nowhere?

13550 posts | registered 8/12/2005
TomXP411 Ars Praefectus

jump to post

sprockkets wrote:
show nested quotes
Masaaki2 wrote:
Nice technology. Explain about the device

There is no device. This is malware that theoretically spreads to anything running Android: smartphones, TV boxes, smart TV, even potentially your refrigerator, if it's one of the "smart" variety.

It sounds like you'll be safe if you leave the debugging tools turned off, but it's still frustrating, because as a software developer, I tend to turn on the debug tools on my Android hardware. Now this means I'll have to use an isolated network when developing and testing software on smart devices.

There is debug tools, then adb. Now if it takes advantage of a vulnerability in adb that's one thing, but it looks like it infects something listening on port 5555.

Besides, when's the last time you just auth an adb request out off nowhere?

ADB is also called the "Android Debug Bridge", and is the (as the name suggests) bridge between debug tools running on the device and a desktop computer running an IDE or debug console. Turning on debug tools is generally how you enable ADB on a device; so turning debug tools off should turn off ADB on the device.

I haven't actually tried probing 5555 on any devices, however, so I suppose it's possible that some devices will respond to the port even with debugging tools turned off. However, if debugging is turned on, infecting a device is trivial - since that's ADB's job.

7515 posts | registered 9/1/2010

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Further Reading

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica