Malware Strains Fight over Access to Android Devices with USB Debugging Mode Open

cageymaru

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,082
Users of Android devices that have left port 5555 for Android Debug Bridge (ADB) mode open are being infected with malware that mines cryptocurrency. Sometimes ADB is left open from the factory or when users customize their phones and forget to disable what is commonly referred to as "USB Debugging" mode. ADB mode doesn't require a password and allows anyone on the internet unfettered access to the Android device. The ADB.miner infection was the first to take advantage of the unprotected devices and made the creators of the malware a nice sum of cash mining cryptocurrency. It has been altered by another group into a new strain of malware that mines cryptocurrency called Trinity or com.ufo.miner. A third strain of malware called Fbot is scanning the internet and removing Trinity infections. The simple fix for it all is to close ADB.

According to a Shodan search, the number of Android devices with an ADB port exposed online usually varies between 30,000 and 35,000 during a day. This second botnet, named Fbot, has not been seen mining cryptocurrency, yet. For not, Fbot, which researchers say shares code with the Satori IoT DDoS malware, has only been focused on spreading to as many devices as possible and permanently dislodging Trinity from infected devices. You see, Fbot contains special code that specifically searches for Trinity's file name (com.ufo.miner) and removes it.
 
So... does this mean crypto-mining is profitable on Android, provided it can grab spare clock cycles from the 'legit' factory-installed data-miners?
 
I'm guessing this is for older versions of the OS? Or is it a discovered vulnerability?

Newer versions of Android should have two protections against this:

Debug Mode when USB Connected --> debug mode is only active when it's connected to the USB.

Debug Mode USB Authorizations --> debug mode will only grant access to devices that are authenticated.

If connect to ADB on my device via USB I will get prompted on the phone to "authorize this device," in-which I can store that computers hardware hash on the phone for future connections (or reprompt every time).
 
I was thinking the same thing.. But there are a lot of phones and tablets without updates. Also I'm guessing developers leave it on
 
That's an intense run-down. There's a virus out there for cellphones that attacked open ADB ports to mine crypto. Now there's a variant of that doing it again, and another "virus" scanning open ADB ports to delete it as well. Virus wars!
 
This article is a little misleading and implies that the malware targets any device with "USB Debugging" enabled.

In actual fact, the malware only targets devices which have port 5555 open as a result of enabling "ADB over Wi-Fi".

That requires someone to have actually connected to the device via a USB cable, opened a command prompt, and entered a specific command to switch the ADB mode from USB to TCPIP on port 5555. Only then will the device be vulnerable to this malware, because in TCPIP mode no authentication is required to execute ADB commands (well done Google).

In other words, simply enabling "USB Debugging" is not enough to expose your device and I daresay most people have nothing to worry about!
 
clockdogg said:
So... does this mean crypto-mining is profitable on Android, provided it can grab spare clock cycles from the 'legit' factory-installed data-miners?
Click to expand...
Of course it is profitable when you're stealing the cpu time. And don't have to pay for the electricity or the hw.
 
Geryon said:
That requires someone to have actually connected to the device via a USB cable, opened a command prompt, and entered a specific command to switch the ADB mode from USB to TCPIP on port 5555. Only then will the device be vulnerable to this malware, because in TCPIP mode no authentication is required to execute ADB commands (well done Google).
Click to expand...

Can you really blame the lock manufacturer on the back door, if you opened the door and left it open?
 
For this to work this requires:
Enabling debugging on the phone.
AND setting the adb service on a PC to listen over the network.
AND setting the listening port on that PC to 5555.
AND if you let that PC to connect to your phone for debugging.

That's not even the default port and adb doesn't even start automatically, only if you set it to do so of course.
Unless a virus carries out all that on the PC, I don't really see this happening. If it does, then cryptomining running on your phone does not even make the top 10 of problems you need solved yesterday or a bit sooner.
 
Geryon said:
This article is a little misleading and implies that the malware targets any device with "USB Debugging" enabled.

In actual fact, the malware only targets devices which have port 5555 open as a result of enabling "ADB over Wi-Fi".

That requires someone to have actually connected to the device via a USB cable, opened a command prompt, and entered a specific command to switch the ADB mode from USB to TCPIP on port 5555. Only then will the device be vulnerable to this malware, because in TCPIP mode no authentication is required to execute ADB commands (well done Google).

In other words, simply enabling "USB Debugging" is not enough to expose your device and I daresay most people have nothing to worry about!
Click to expand...


Thanks for explaining.

I wonder how this has happened on so many devices though? Most users wouldn't even know how to do this if they wanted to.

The article did mention that some OEM's have left this open inadvertently shipping from the factory. Might also be built into shady aftermarket roms downloaded from the internet.

I wonder how you can check if your device has it open. Point telnet at your device IP and port while on WIFI and see if it connects?
 
You must log in or register to reply here.
Back
Top