- New malware botnet is hacking Android devices for mining.
- Malware has evolved over time, and TrendMicro has found it in the past.
TrendMicro has found a new botnet that is going after Android smartphones and tablets. This botnet is going after the Debug Bridge ports on devices, despite being a system that is meant to fix the defects in different Android-based apps. The botnet malware, as it turns out, has already been found in 21 different countries, though the location that seems to be the most prevalent is in South Korea.
This new attack goes after the lack of authentication required by open ADB ports by default. After the malware is installed, it will expand to any system that the device has shared an SSH connection. These connections link many types of devices, which means that there are many products at risk.
The researchers with TrendMicro stated,
“Being a known device means the two systems can communicate with each other without any further authentication after the initial key exchange, each system considers the other as safe. The presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections.”
The whole process begins as early as the first IP address, arriving through the ADB to update the working directory to a .tmp file with the command shell. After the bot determines that it has reached its destination, it uses a wget command, downloading the payload earned by three separate miners. The malware is programmed to decide which miner can exploit the infected device the best, based on the manufacturer, hardware, and other details.
Another command is executed to chance the permission settings, and the bot ends up concealing itself with another command that will hide it from the host, deleting the file that was downloaded. By deleting the file, the trail of where the bug came from in the first place, even though it continues to be used on other victims.
According to the researchers that examined the script used to invade these devices, there are three possible miners that could be used in the attack from the same URL:
In their research, TrendMicro also discovered that the host’s memory is enhanced if HugePages is enabled, since it enables any memory page that exceeds the default size. This change increases mining output. If there are already miners using it, the botnet tries to invalidate the URL, and they use the host code to kill them.
There are more and more ways that cryptocurrency mining drops are evolving, creating new ways to exploit the victims for personal gain. TrendMicro found another type of malware using the exploitation of ADBs that was called the Satoshi Variant.
To view the full report from TrendMicro, visit: here.