A newly discovered crypto-currency mining botnet can spread via open ADB (Android Debug Bridge) ports and Secure Shell (SSH), Trend Micro reports.
Designed to help developers easily communicate with devices remotely, execute commands and control the device, ADB can expose Android phones to malware if port 5555 is left open.
Unfortunately, many Android devices ship with ADB enabled, and botnets that specifically target them have been around for at least a year. The Internet of Things-targeting Hide ‘N Seek botnet is one of them.
The newly observed threat targets Android devices via ADB in a manner similar to that employed by the Satori botnet, but can also spread from the compromised host to any systems that were previously connected to it via SSH, Trend Micro reveals.
The botnet has been highly active, infecting devices in 21 different countries, with the highest percentage of victims located in South Korea.
As part of the attack, IP address 45[.]67[.]14[.]179 connects to the ADB running device or system and changes the working directory to “/data/local/tmp,” as files located there typically have default permission to execute.
The bot then checks whether the system is a honeypot, and then downloads the payload and changes its permission settings to allow it to be executed. It also attempts to remove all traces, Trend Micro’s security researchers reveal.
System information, such as manufacturer, hardware details, and processor architecture, is collected and the data is used to determine what type of miner to deploy, as the attack script can choose between three different downloadable miners.
The script also enhances the victim’s memory by enabling HugePages, so that the system could support memory pages greater than its default size. The botnet also attempts to block a competitor’s miner, and kills its process.
After spreading to other devices connected to the system, the malware deletes its payload files, in an attempt to remove traces from the victim host.
The threat attempts to spread to any device that has connected to the original victim via SSH. These devices are typically included in a “known” list and allow communication without requiring further authentication after the initial key exchange.
“The combination of known hosts and the victim’s public key makes it possible for the botnet to connect to smart devices or systems that have previously connected to the infected system,” Trend Micro explains.
Two spreaders are used to infect systems via SSH, both targeting all known hosts by IPv4 addresses, but searching in different directories for these systems.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told SecurityWeek that his company has repeatedly warned users about this very attack vector for more than a year.
“The number of publicly vulnerable devices has declined from about 40,000 devices one year ago to about 30,000 devices today,” Hahad said. “Most of the remaining vulnerable devices are located in Korea, Taiwan, Hong Kong and China. It should be noted that some of the vulnerable devices are set top boxes used for IPTV, not mobile phones. It is our speculation that most of the phones are, or become, vulnerable, due to enabling the Android Debug Bridge during device rooting, a process which allows a locked down device to move freely between service providers.”