Two botnets are fighting over control of thousands of unsecured Android devices

Researchers spot Trinity and Fbot botnets trying to infect Android devices via the ADB interface.
Written by Catalin Cimpanu, Contributor

Two botnet gangs are fighting to take control over as many unsecured Android devices as they can to use their resources and mine cryptocurrency behind owners' backs.

The turf war between these two botnets --one named Fbot and the other named Trinity-- has been going on for at least a month if we're to combine the various clues from reports published by different cyber-security firms.

Both are in direct competition and are going after the same targets, namely Android devices on which vendors or owners have left the diagnostics port exposed online.

This port is 5555, and it hosts a standard Android feature called the Android Debug Bridge (ADB). All Android devices support it but most come with it disabled.

But while ADB is disabled on hundreds of millions of devices, there are tens of thousands where this feature has been left enabled, either by accident during the device's assembly and testing process or by the user after he used the ADB to debug or customize his phone.

Also: Cyber security: Your boss doesn't care and that's not OK

Making matters worse, in its default configuration, the ADB interface also doesn't use a password. Once the ADB port is enabled and the device is connected to the internet, the ADB feature acts as a permanent wide-open backdoor to vulnerable devices.

According to a Shodan search, the number of Android devices with an ADB port exposed online usually varies between 30,000 and 35,000 during a day.

Cyber-criminals have also noticed these devices. Back in February this year, a botnet built on a malware strain known as ADB.Miner had infected nearly 7,500 devices, most of them being Android-based smart TVs and TV top boxes.

The ADB.Miner crew mined cryptocurrency, and in the end, turned a nice profit. But this malware strain evolved with time and later morphed into a new botnet named Trinity --also known as com.ufo.miner, after the name of its process.

The botnet has been seen by Qihoo 360 Netlab in September and was still going strong in October when Ixia researchers also spotted it online.

Just like its previous ADB.Miner incarnation, the Trinity botnet has continued to rely on the exposed ADB interface to access devices, plant its crypto-mining malware, and then use the infected device to spread to new victims.

Also: 7 tips for SMBs to improve data security TechRepublic

However, ADB.Miner and Trinity's success has also drawn new contenders on the scene. Also starting with September, a different botnet was also seen scanning for devices with an ADB port left exposed online. This second botnet, named Fbot, has not been seen mining cryptocurrency, yet.

For not, Fbot, which researchers say shares code with the Satori IoT DDoS malware, has only been focused on spreading to as many devices as possible and permanently dislodging Trinity from infected devices. You see, Fbot contains special code that specifically searches for Trinity's file name (com.ufo.miner) and removes it.

While its purpose remains a mystery and it may take some time before Fbot becomes just as large as Trinty, it is clear that Android device owners need to take note of this malware trend and make sure their device is not exposing the ADB port online.

This tutorial will help device owners disable the ADB service --which is also referred to as "USB Debugging" in many Android devices' settings menus.

Back in June, infosec pundit Kevin Beaumont had suggested that mobile telcos could do everyone a favor by blocking inbound traffic into their networks that targeted port 5555, which would render scans for open ADB ports useless, effectively blocking any exploitation attempts.

How to discover and destroy spyware on your smartphone (in pictures)

Related stories:

Editorial standards