Malware Strains Fight over Access to Android Devices with USB Debugging Mode Open

Discussion in 'HardForum Tech News' started by cageymaru, Nov 5, 2018.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,812
    Joined:
    Apr 10, 2003
    Users of Android devices that have left port 5555 for Android Debug Bridge (ADB) mode open are being infected with malware that mines cryptocurrency. Sometimes ADB is left open from the factory or when users customize their phones and forget to disable what is commonly referred to as "USB Debugging" mode. ADB mode doesn't require a password and allows anyone on the internet unfettered access to the Android device. The ADB.miner infection was the first to take advantage of the unprotected devices and made the creators of the malware a nice sum of cash mining cryptocurrency. It has been altered by another group into a new strain of malware that mines cryptocurrency called Trinity or com.ufo.miner. A third strain of malware called Fbot is scanning the internet and removing Trinity infections. The simple fix for it all is to close ADB.

    According to a Shodan search, the number of Android devices with an ADB port exposed online usually varies between 30,000 and 35,000 during a day. This second botnet, named Fbot, has not been seen mining cryptocurrency, yet. For not, Fbot, which researchers say shares code with the Satori IoT DDoS malware, has only been focused on spreading to as many devices as possible and permanently dislodging Trinity from infected devices. You see, Fbot contains special code that specifically searches for Trinity's file name (com.ufo.miner) and removes it.
     
  2. clockdogg

    clockdogg Gawd

    Messages:
    904
    Joined:
    Dec 12, 2007
    So... does this mean crypto-mining is profitable on Android, provided it can grab spare clock cycles from the 'legit' factory-installed data-miners?
     
  3. DarkStar02

    DarkStar02 2[H]4U

    Messages:
    2,109
    Joined:
    Mar 1, 2006
    Probably when it's spread among tens/hundreds of thousands of devices
     
    Ironchef3500 likes this.
  4. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,677
    Joined:
    Dec 15, 2003
    I'm guessing this is for older versions of the OS? Or is it a discovered vulnerability?

    Newer versions of Android should have two protections against this:

    Debug Mode when USB Connected --> debug mode is only active when it's connected to the USB.

    Debug Mode USB Authorizations --> debug mode will only grant access to devices that are authenticated.

    If connect to ADB on my device via USB I will get prompted on the phone to "authorize this device," in-which I can store that computers hardware hash on the phone for future connections (or reprompt every time).
     
  5. blandead

    blandead Limp Gawd

    Messages:
    213
    Joined:
    Nov 6, 2010
    I was thinking the same thing.. But there are a lot of phones and tablets without updates. Also I'm guessing developers leave it on
     
  6. The_Capulet

    The_Capulet n00b

    Messages:
    45
    Joined:
    Sep 17, 2017
    That's an intense run-down. There's a virus out there for cellphones that attacked open ADB ports to mine crypto. Now there's a variant of that doing it again, and another "virus" scanning open ADB ports to delete it as well. Virus wars!
     
  7. Geryon

    Geryon n00b

    Messages:
    43
    Joined:
    Sep 23, 2009
    This article is a little misleading and implies that the malware targets any device with "USB Debugging" enabled.

    In actual fact, the malware only targets devices which have port 5555 open as a result of enabling "ADB over Wi-Fi".

    That requires someone to have actually connected to the device via a USB cable, opened a command prompt, and entered a specific command to switch the ADB mode from USB to TCPIP on port 5555. Only then will the device be vulnerable to this malware, because in TCPIP mode no authentication is required to execute ADB commands (well done Google).

    In other words, simply enabling "USB Debugging" is not enough to expose your device and I daresay most people have nothing to worry about!
     
    toast0, mufcfan and Wrecked Em like this.
  8. M76

    M76 [H]ardForum Junkie

    Messages:
    9,347
    Joined:
    Jun 12, 2012
    Of course it is profitable when you're stealing the cpu time. And don't have to pay for the electricity or the hw.
     
    Deleted member 184142 likes this.
  9. M76

    M76 [H]ardForum Junkie

    Messages:
    9,347
    Joined:
    Jun 12, 2012
    Can you really blame the lock manufacturer on the back door, if you opened the door and left it open?
     
  10. mufcfan

    mufcfan Limp Gawd

    Messages:
    245
    Joined:
    Feb 23, 2005
    For this to work this requires:
    Enabling debugging on the phone.
    AND setting the adb service on a PC to listen over the network.
    AND setting the listening port on that PC to 5555.
    AND if you let that PC to connect to your phone for debugging.

    That's not even the default port and adb doesn't even start automatically, only if you set it to do so of course.
    Unless a virus carries out all that on the PC, I don't really see this happening. If it does, then cryptomining running on your phone does not even make the top 10 of problems you need solved yesterday or a bit sooner.
     
  11. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,342
    Joined:
    Oct 29, 2000

    Thanks for explaining.

    I wonder how this has happened on so many devices though? Most users wouldn't even know how to do this if they wanted to.

    The article did mention that some OEM's have left this open inadvertently shipping from the factory. Might also be built into shady aftermarket roms downloaded from the internet.

    I wonder how you can check if your device has it open. Point telnet at your device IP and port while on WIFI and see if it connects?