Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hide ‘N Seek IoT Botnet Now Targets Android Devices

After being observed targeting smart homes just two months ago, the Hide ‘N Seek Internet of Things (IoT) botnet is now capable of infecting Android devices.

After being observed targeting smart homes just two months ago, the Hide ‘N Seek Internet of Things (IoT) botnet is now capable of infecting Android devices.

First detailed in January by Bitdefender, the botnet originally targeted home routers and IP cameras, but later evolved from performing brute force attacks over Telnet to leveraging injection exploits, thus greatly expanding its list of targeted device types.

Featuring a decentralized, peer-to-peer architecture, the botnet was able to abuse the various compromise methods to ensnare over 90,000 unique devices by May.

In early July, Hide ‘N Seek was observed targeting OrientDB and CouchDB database servers, and the malware evolved into targeting a remote code execution vulnerability in HomeMatic Zentrale CCU2, the central element of Smart Home devices from the German manufacturer eQ-3.

Bitdefender now says that newly identified samples of the malware target the Android Debug Bridge (ADB) over Wi-Fi feature to infect devices.

Normally used for troubleshooting and supposedly disabled by default, ADB was found enabled on commercially available Android devices, exposing them to attacks on TCP port 5555. The issue resides with vendors neglecting to disable ADB when shipping devices.

“Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode,” Bitdefender Senior Cybersecurity Analyst Liviu Arsene points out.

Hide ‘n Seek, however, is not the first malware to target the Android devices found to be shipping with ADB enabled. In July, a botnet was observed attempting to ensnare these devices for crypto-currency mining purposes.

With the addition of this new capability, Hide ‘n Seek might be able to amass at least another 40,000 new devices, Arsene believes. Most of the potentially affected devices appear to be located in Taiwan, Korea and China, while some of them are in the United States and Russia.

While some of the devices with ADB enabled might be hidden behind routers, the fact that the routers themselves are among the most vulnerable Internet-connected devices suggests that it’s not only Internet-facing Android devices that are at risk.

“It’s safe to say that not just Android-running smartphones are affected — smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affected too,” Arsene notes.

He also points out that Hide ‘n Seek’s operators are likely seeking new means to ensnare as many devices as possible, although they haven’t revealed the true purpose of the botnet just yet.

Related: Hide ‘N Seek Botnet Targets Smart Homes

Related: Botnet Targets Open Ports on Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.