Just last month, Kaspersky researchers spotted fake antivirus and porn Android apps infected with malware that mines Monero cryptocurrency, launches DDoS attacks, and performs several other malicious tasks, causing the phone's battery to bulge out of its cover.
Now, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new piece of wormable Android malware, dubbed ADB.Miner, that scans wide-range of IP addresses to find vulnerable devices and infect them to mine digital cryptocurrency.
According to the researchers, ADB.Miner is the first Android worm to reuse the scanning code programmed in Mirai—the infamous IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns.
ADB.Miner scans for Android devices—including smartphones, smart TVs, and TV set-top boxes—with publicly accessible ADB debug interface running over port 5555 and then infects them with a malware that mines Monero cryptocurrency for its operators.
Android Debug Bridge (ADB) is a command-line tool that helps developers debug Android code on the emulator and grants access to some of the operating system's most sensitive features.
It should be noted that almost all Android devices by default come with the ADB port disabled, so botnet would target only those devices that have manually been configured to enable port 5555.
Besides mining Monero cryptocurrency, ADB.Miner installed on an infected device also attempts to propagate itself by scanning for more targets on the Internet.
Researchers did not reveal exactly how or by exploiting which ADB flaw hackers are installing malware onto Android devices.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
However, the researchers believed hackers are not exploiting any vulnerability that targets any specific device vendor since they found devices from a wide range of manufacturers impacted.
According to the researchers, the infection started on January 21, and the number of attacks has increased recently. As of Sunday, the researchers detected 7,400 unique IP addresses using the Monero mining code—that's more than 5,000 impacted devices in just 24 hours.
Based on the scanning IP addresses, the highest number of infection has been noticed in China (40%) and South Korea (31%), the researchers estimated.
In order to fight against such malware Android users are advised not to install unnecessary and untrusted applications from the app store, even from Google Play Store, and keep your devices behind a firewall or a VPN.