Android Devices With Misconfigured ADB, a Ripe Target for Cryptojacking Malware

Vendors have been shipping Android products with Android Debug Bridge enabled, making them attractive targets for hackers.

Poorly configured Android devices, where the Android Debug Bridge is left enabled, have become an attractive target for hackers. According to researchers, adversaries are using the common misconfiguration to install cryptojacking malware on a wide selection of Android-based IoT devices ranging from maritime computer systems, TVs, DVRs and some mobile phone models.

Android Debug Bridge (ADB) is an Android OS developer function that, when enabled, allows remote users to access a Unix shell to conduct command line device maintenance. According to researcher Kevin Beaumont, thousands of Android type devices ship with ADB enabled, allowing hackers to remotely access them.

“Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device,” Beaumont wrote in a technical write-up of his research posted last week. “This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’ — the administrator mode — and then silently install software and execute malicious functions.”

He points out that it’s only the developer build of the Android OS that allows for the ADB to be enabled. Non-developer builds cannot be configured with the ADB enabled, he said. “In theory root shouldn’t be available in non-development builds, but there’s an apparent bypass on some devices – ADB shell ‘su -c command.'”

Either way, Beaumont said, the bad guys know about the problem. He pointed to a February report by researchers at Rapid7 that shows a spike in TCP port 5555 scanning. In the same timeframe, Beaumont also notes researchers at 360Netlab identified a cryptojacking malware campaign leveraging the ADB debug interface, on port 5555, to spread.

Dubbed ADB.Miner, 360Netlab said in February the malware has begun spreading rapidly, propagating in ways similar to the Mirai.

“The worm is spread using a modified version of Mirai’s code bolted onto a cryptominer. There is no central C2 server; in this case it is spreading peer-to-peer via port 5555. There are however bugs in the code, and it only works on certain types of devices,” Beaumont said.

Geographically, China, Hong Kong, Taiwan, South Korea and the United States appear to be impacted the most by the malware.

“This isn’t a systemic issue with Android,” said Michael Flossman, head of threat intelligence at Lookout. “This is a device manufacturer problem. This echoes what the industry has been saying for years. IoT devices are inadequately secured, have easily guessable passwords or passwords are never changed from their default. This allows, in the case of Mirai or ADB.Miner, for the malware to quickly spread on a global scale.”

A recent analysis of the ADB.Minor worm suggests the malware is still a problem. “It seems that it lives and it feels pretty well. I’ve checked out two days (4th, 5th of June) – about 40 000 unique IP addresses. I’ll provide some deep analysis soon,” tweeted Piotr Bazydlo, a researcher at NASK.

“These devices are misconfigured, and available all [over] the world. They even exist in corporations. If somebody wanted to, they could run something other than cryptocurrency mining — which could develop into a serious issue,” Beaumont said.

Suggested articles