ADB.miner targets multiple devices including mobile phones, media players and smart TVs
ADB.miner targets multiple devices including mobile phones, media players and smart TVs

Malicious cryptominers are going mobile and beyond with a new botnet malware targeting Android-based devices that expose debug capabilities to the internet, for the purpose or mining Monero.

Dubbed ADB.miner, Radware researchers spotted a malware impacting multiple devices including mobile phones, media players and smart TVs to harness power and mine cryptocurrencies, according to a Feb, 2 blog post.

“When a remote host exposes its Android Debug Bridge (ADB) control port, any Android emulator on the Internet has full install, start, reboot and root shell access without authentication,” the post said. “Part of the malware, xmrig binaries (Monero cryptocurrency miners) are executing on the devices.”

The malware obtains root shell access using Android SDK platform tools and with all ADB connection starting with the CNXN fixed string, the post said. Researchers noted that the threat is spreading globally and impacting the infected devices in terms of CPU resources and power consumed, despite the efforts only netting a small amount of money for the threat actors.

The malware was spotted when researchers noted a significant increase of activity against port 5555, one of the known ports used by TR069/064 exploits, both in number of hits and in number of distinct IPs. Other researchers noted the uptick in traffic as well.  

Netlab researchers noticed the set of malicious code being spread rapidly through worm-like infections targeting up to 5,000 the majority of which were mainly in China, nearly 40 percent, and South Korea, nearly 30 percent.

Traffic on the 5555 port began around 3 PM on Feb. 3, 2018 and reached three times the daily background data and by midnight traffic had reached 10 times the amount.

“In addition, the malicious code reuse mirai in the scanning phase of the code, this is the first time we see the mirai code is Android worm reuse,” Netlab researchers said. “Overall, we think malicious code based on the android system's adb debug interface is now actively spreading in worms and has infected more than 5,000 devices in 24 hours.”