ADB.Miner worm is rapidly spreading across Android devices

Updated: The malware is targeting and compromising thousands of devices to mine cryptocurrency.
Written by Charlie Osborne, Contributing Writer

Video: New Linux crypto-miner botnet profits as your PC processes cryptocurrency

A fresh threat to Android devices has managed to infect thousands of devices in days, researchers warn.

In a blog post published Sunday, cybersecurity researcher Wang Hui from 360Netlab said a strain of cryptocurrency mining malware called ADB.Miner has begun spreading rapidly.

The malware has similar capabilities to worms and uses the ADB debug interface, on port 5555, to spread.

It is usually the case that port 5555 is kept closed; however, the ADB debug tool used to conduct diagnostic tests sometimes may open this port -- potentially by accident.

Once a device is infected, it will continue to scan the 5555 port to propagate further and find other devices with the same port open, such as Android-based smartphones, tablets, or television sets.

According to the Chinese security firm, smartphones and smart TV set-top boxes are among most of the devices currently infected, but the company has not disclosed which models or vendors.

While the earliest time of infection has been traced back to 31 January, in only 24 hours, the researchers estimate ADB.Miner has been able to spread to upwards of 5,000 devices, mainly in China and South Korea.

"Overall, we believe malicious code based on the Android system ADB debug interface is now actively spreading in worms and infected over 5,000 devices in 24 hours," the team says. "Affected devices are actively trying to deliver malicious code."

While 360Netlab has chosen to be scant on the details of infection -- potentially to stop copycats -- the team did say that the miner has Mirai code within its scanning module.

Mirai is a botnet which enslaved millions of vulnerable Internet of Things (IoT) devices for the purposes of conducting distributed denial-of-service (DDoS) attacks.

Read also: What we can expect from future cryptocurrency regulation worldwide

The malware contains mining software which specifically focuses on Monero (XMR). ADB.Miner connects to two different mining pools which both share the same wallet address but is yet to deposit proceeds from the fraudulent mining operations.

Cybercriminals are exploring ways to utilize cryptocurrency miners, in themselves not malicious, for fraudulent purposes. A recent report from Cisco Talos has suggested that cyberattackers are turning away from ransomware in favor of this silent, and harder to detect, kind of scheme.

Malware based on the Mirai botnet, dubbed Satori, has been recently spotted targeting Ethereum mining rigs. A tailored version of Satori, called Satori.Coin.Robber, scans for devices through port 3333.

If old versions of Claymore Miner software which have not been patched against the malware are detected, the malicious code replaces user wallet addresses with others controlled by the malware operators.

Update: 10am GMT:

The researchers have revealed additional details on ADB.Miner. Infections appear to have stabilized after reaching a peak of 7,000, and the team has also ruled out the possibility of port 5555 being remotely opened.

"The 5555 ADB interfaces of those devices have already been opened before infected," the researchers say. We have no idea about how and when this port was opened yet."

It also appears that the worm's propagation is implemented through droidbot, a mining .apk based on Coinhive mining software.

17 ways the Internet of Things can go horribly wrong

Related stories

Editorial standards