A new cryptocurrency mining worm has been found to quickly spread through smartphones and TV devices. Using accidentally left-open debugging functionality, ADB, several thousands devices have been infected and forced to use all their CPU power for mining and further spreading. Thankfully, detection isn’t impossible.
What is the Android Debug Bridge?
The Android Debug Bridge (ADB) is a feature used by developers to perform diagnostics and remotely control and communicate with Android devices. Port 5555 is used for this communication and while very useful for testing it proves a massive risk if left opened – Which is just what has occured, as countless of Android devices have been found shipped with the functionality accidentaly enabled.
Now, what exactly could happen if an attacker were to access a device with the service running? They’d receive the same privileges as a developer, meaning totally invisible and remote control of the unit – Something which didn’t take long for hackers to realize.
ADB.Worm
Security researchers from 360 Netlab discovered last week that a network worm dubbed ADB.Worm had begun to rapidly spread. The malware has been seen scanning across the internet for vulnerable devices with port 5555 left open. Once a detection has been made the malware will attempt to infect the target and proceed look for new victims from the now infected device.
Once a device is compromised the primary function of ADB.Worm will begin: Cryptocurrency mining, of which the malware focuses on the Monero currency praised for its anonymity. According to 360 Netlab the primary targets are smartphones and TV-devices such as the Amazon Fire TV.
Detect an infection
Thankfully detecting an infection is relatively easy: The malware drains nearly 100% of the device’s processor for its mining operation, meaning a sudden slow-down could be a sign. ADB.Worm has been found taking the name “Test” as package “com.google.time.time”.
If these are found on your device a full system reset is recommended. Finally, the ADB feature should be disabled if active.
