Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

New Botnet Exploits Android Debug Bridge and SSH

A newly discovered crypto-currency mining botnet can spread via open ADB (Android Debug Bridge) ports and Secure Shell (SSH), Trend Micro reports. 

A newly discovered crypto-currency mining botnet can spread via open ADB (Android Debug Bridge) ports and Secure Shell (SSH), Trend Micro reports. 

Designed to help developers easily communicate with devices remotely, execute commands and control the device, ADB can expose Android phones to malware if port 5555 is left open. 

Unfortunately, many Android devices ship with ADB enabled, and botnets that specifically target them have been around for at least a year. The Internet of Things-targeting Hide ‘N Seek botnet is one of them. 

The newly observed threat targets Android devices via ADB in a manner similar to that employed by the Satori botnet, but can also spread from the compromised host to any systems that were previously connected to it via SSH, Trend Micro reveals

The botnet has been highly active, infecting devices in 21 different countries, with the highest percentage of victims located in South Korea.

As part of the attack, IP address 45[.]67[.]14[.]179 connects to the ADB running device or system and changes the working directory to “/data/local/tmp,” as files located there typically have default permission to execute.

The bot then checks whether the system is a honeypot, and then downloads the payload and changes its permission settings to allow it to be executed. It also attempts to remove all traces, Trend Micro’s security researchers reveal. 

System information, such as manufacturer, hardware details, and processor architecture, is collected and the data is used to determine what type of miner to deploy, as the attack script can choose between three different downloadable miners. 

The script also enhances the victim’s memory by enabling HugePages, so that the system could support memory pages greater than its default size. The botnet also attempts to block a competitor’s miner, and kills its process. 

After spreading to other devices connected to the system, the malware deletes its payload files, in an attempt to remove traces from the victim host.

The threat attempts to spread to any device that has connected to the original victim via SSH. These devices are typically included in a “known” list and allow communication without requiring further authentication after the initial key exchange. 

“The combination of known hosts and the victim’s public key makes it possible for the botnet to connect to smart devices or systems that have previously connected to the infected system,” Trend Micro explains. 

Two spreaders are used to infect systems via SSH, both targeting all known hosts by IPv4 addresses, but searching in different directories for these systems. 


Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told SecurityWeek that his company has repeatedly warned users about this very attack vector for more than a year.

“The number of publicly vulnerable devices has declined from about 40,000 devices one year ago to about 30,000 devices today,” Hahad said. “Most of the remaining vulnerable devices are located in Korea, Taiwan, Hong Kong and China. It should be noted that some of the vulnerable devices are set top boxes used for IPTV, not mobile phones. It is our speculation that most of the phones are, or become, vulnerable, due to enabling the Android Debug Bridge during device rooting, a process which allows a locked down device to move freely between service providers.”

Related: Hide ‘N Seek IoT Botnet Now Targets Android Devices

Related: Botnet Targets Open Ports on Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.