ADB.Miner was discovered by cybersecurity company 360Netlab last weekend. The devices were activated on February 3 and include a broad range of Android products. Smartphones, smart TVs and connected set top boxes are amongst the devices known to be hosting the attack.
The population of infected devices initially grew extremely rapidly as the botnet spread. According to 360Netlab’s updated estimates, the attack is capable of doubling its reach every 12 hours. The aggressive infection campaign has now slowed though and the creator appears to have halted further propagation. Around 7,400 devices are currently impacted.
The botnet is spreading over port 5555, which is normally used on Android by the system’s ADB debugging interface. ADB is a service which can be used by developers to wirelessly interact with Android devices from a PC. It provides an advanced interface to test apps and features, including access to sensitive components of the operating system.
Although ADB is normally disabled by default, there are instances in which its port may be left open. 360Netlab is using the open doorway as an entrypoint to its infection targets. Once it’s installed, it begins to mine tokens of the Monero cryptocurrency using two different mining pools. The worm then propagates itself forwards by scanning the web to find further devices with port 5555 exposed.
READ NEXT: Canadian media firms launch “dangerous” campaign to end piracy
According to the security researchers, ADB.Miner is based on the Mirai malware strain that has previously formed the basis of other large-scale botnets. Mirai has previously been restricted to networking appliances and connected Internet of Things devices. It’s believed that this is the first time code from Mirai has been borrowed by malware specifically targeting Android products.
The botnet’s also a relatively rare example of malicious cryptocurrency mining on mobile devices. This form of attack is becoming more common though. Over the past year, the increased value of cryptocurrencies has made website mining scripts more attractive to hackers. Recently, Google admitted its AdWords ad platform was compromised by a crypto-mining script that targeted YouTube users.
ADB.Miner is currently active in the wild with several thousand devices infected and mining Monero coins. The majority of the victims are located in China and Korea. Although the worm’s propagation has now slowed, it could accelerate again in the future. 360Netlab is yet to ascertain how or when port 5555 is being exposing but it has ruled out the possibility of the malware author opening it remotely.
