Botnet Targets Open Ports on Android Devices
23.7.2018 securityweek BotNet
A wave of attacks is targeting Android devices with port 5555 open, likely in an attempt to ensnare them into a botnet, Trend Micro warns.
TCP port 5555 is designed to allow management of devices via Android Debug Bridge (ADB), an Android SDK feature that allows developers to easily communicate with devices and to run commands on them or fully control them.
The ADB port is meant to be disabled on commercial devices and to require initial USB connectivity to be enabled. Last month, however, security researcher Kevin Beaumont revealed that many devices ship with ADB enabled, which leaves them exposed to attacks.
Scanning attacks specifically targeting the ADB port have been seen since January. In early 2018, a worm leveraging a modified version of Mirai’s code was searching for devices with open port 5555 to spread for crypto-mining purposes.
Now, Trend Micro says a new exploit is targeting port 5555. The security firm has observed a spike in activity on July 9-10, when network traffic came mainly from China and the US, followed by a second wave on July 15, primarily involving Korea.
“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary,” Trend Micro explains.
After infecting devices, the malware targets a series of processes for termination and launches its own child processes, one of which is responsible for spreading the malware as a worm. It also opens a connection to the command and control (C&C) server.
The payload also contains a header with a number of targets and IP packet types to be sent, which could suggest the malware was designed to launch distributed denial of service (DDoS) attacks (it can send UDP, TCP SYN, and TCP ACK packets (with a random payload of random length), UDP with random payload tunneled through Generic Routing Encapsulation (GRE), and TCP SYN).
Trend Micro also discovered that the downloaded binaries connect to the C&C server at 95[.]215[.]62[.]169, which was found to be linked to the Mirai variant Satori.
“It’s reasonable to believe that the same author was behind this sample and Satori,” Trend's security researchers say.
The malware’s worm-like spreading capabilities could suggest other attacks might follow the recently observed spikes in activity, Trend Micro also notes. The security firm suggests the actor behind the malware might have been “testing the effectiveness of their tools and tactics to prepare for a more serious attack.”
An online search reveals over 48,000 IoT systems vulnerable to ADB exploitations, but not all of them might be exposed, as some are likely behind routers with Network Address Translation (NAT). Even so, misconfigurations might result in these devices becoming accessible from the Internet, turning them into easy targets for the malware.
“All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength,” Trend Micro concludes.