After being observed targeting smart homes just two months ago, the Hide ‘N Seek Internet of Things (IoT) botnet is now capable of infecting Android devices.
First detailed in January by Bitdefender, the botnet originally targeted home routers and IP cameras, but later evolved from performing brute force attacks over Telnet to leveraging injection exploits, thus greatly expanding its list of targeted device types.
Featuring a decentralized, peer-to-peer architecture, the botnet was able to abuse the various compromise methods to ensnare over 90,000 unique devices by May.
In early July, Hide ‘N Seek was observed targeting OrientDB and CouchDB database servers, and the malware evolved into targeting a remote code execution vulnerability in HomeMatic Zentrale CCU2, the central element of Smart Home devices from the German manufacturer eQ-3.
Bitdefender now says that newly identified samples of the malware target the Android Debug Bridge (ADB) over Wi-Fi feature to infect devices.
Normally used for troubleshooting and supposedly disabled by default, ADB was found enabled on commercially available Android devices, exposing them to attacks on TCP port 5555. The issue resides with vendors neglecting to disable ADB when shipping devices.
“Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode,” Bitdefender Senior Cybersecurity Analyst Liviu Arsene points out.
Hide ‘n Seek, however, is not the first malware to target the Android devices found to be shipping with ADB enabled. In July, a botnet was observed attempting to ensnare these devices for crypto-currency mining purposes.
With the addition of this new capability, Hide ‘n Seek might be able to amass at least another 40,000 new devices, Arsene believes. Most of the potentially affected devices appear to be located in Taiwan, Korea and China, while some of them are in the United States and Russia.
While some of the devices with ADB enabled might be hidden behind routers, the fact that the routers themselves are among the most vulnerable Internet-connected devices suggests that it’s not only Internet-facing Android devices that are at risk.
“It’s safe to say that not just Android-running smartphones are affected — smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affected too,” Arsene notes.
He also points out that Hide ‘n Seek’s operators are likely seeking new means to ensnare as many devices as possible, although they haven’t revealed the true purpose of the botnet just yet.