A new crypto-mining botnet has been growing and targeting Android devices with an open ADB port, Qihoo 360’s NetLab researchers reveal.
The attacks started last week, targeting port 5555, which is the working port for the adb debug interface on Android devices. While this port should be normally closed on all devices, sometimes it could remain open, thus allowing devices to be compromised.
Courtesy of scanning code borrowed from the infamous Mirai botnet – which targets Internet of Things (IoT) devices – the new threat can spread as a worm, NetLab reports. Each of the infected bots would continue to scan for open 5555 adb ports to spread further.
This is the first time the Mirai code has been reused to target Android devices, the researchers point out.
The infection appears to have started on January 21, 2018, and the researchers say that the number of attacks has increased recently.
As of February 4, between 2,700 and 5,500 devices had been affected by the botnet, with most of them located in China (40%) and South Korea (31%) – based on the scanning IP addresses targeted devices include smartphones and smart TVs (TV set-top boxes), the security researchers say.
It appears that the botnet isn’t targeting vulnerabilities affecting only specific devices, mainly because models from a broad range of manufacturers have been already impacted. However, the security firm hasn’t provided details on the impacted device models.
The purpose of the newly created botnet, NetLab reports, is to mine for the Monero crypto-currency. The malware’s configuration shows the use of two mining pools, but both groups of devices are using the same wallet address.
The researchers revealed that no payment had been made to the used wallet by the time of their report, but also said they would continue watching and analyzing the threat to provide additional details.
Related: Crypto-Mining Botnet Ensnares 500,000 Windows Machines
Related: New Botnet Is Recruiting IoT Devices
Related: “Hide ‘N Seek” IoT Botnet Ensnares 20,000 Devices in Days