A fast-moving botnet using code from the infamous Mirai malware infected thousands of Android devices in the first 24 hours after its activation, researchers have warned.
Botnets, which take over computer systems’ resources for use in illicit tasks such as sending spam or attacking websites, have in recent years increasingly targeted internet-connected gadgets such as routers and security cameras.
Mirai used a network of such devices to help bring down DNS services provider Dyn in October 2016, temporarily disabling access to a number of major websites.
In this case, the ADB Miner botnet appears to focus on using the system resources of Android devices to mine cryptocurrencies.
Chinese security firm Netlab said it saw a sudden jump in traffic from infected devices via port 5555 beginning on Saturday and growing tenfold over the following eight hours.
The last time the company said it had seen such as rapid increase in scans from a particular port was when the Mirai malware became active in September 2016. The scans indicate devices are infected with malware and are searching for other vulnerable gadgets.
Devices don’t normally leave port 5555 open, but a developer tool called Android Debug Bridge (ADB) exposes it to perform diagnostic tests. ADB Miner appears to spread by searching for gadgets with the port open, and then exploiting an undisclosed security flaw to implant itself on them.
“We think there is a new and active worm targeting Android system’s ADB debug interface spreading,” Netlab’s Hui Wang wrote in an
advisory. “This worm has probably infected more than 5,000 devices in just 24 hours.”
ADB Miner uses some of Mirai’s code to perform the scans, Netlab said, adding it was the first time it had seen Mirai code being used in an Android botnet.
Smartphones and set-top boxes
Netlab said most of the infected devices are Android smartphones and television set-top boxes with the ADB interface open. About 40 percent are located in China, with another 30 percent in South Korea.
The company withheld details about the models affected in order to prevent copycat attackers making use of the information.
Some botnets, including Mirai, search for particular makes of devices that use known login credentials by default. But Netlab said it didn’t think the problem was a vendor-level issue.
ADB Miner appears to be looking to cash in on recent speculation in cryptocurrencies by using Android resources to mine the Monero currency. As of Tuesday morning, however, the mining pool used by the attackers, called Monero Hash Vault, said only about £2 worth of Monero had been produced.
Currency-mining malware can have a destructive effect on low-powered devices, as was the case with the recent Loapi strain, which ran a number of different simultaneous scams on infected Android gadgets, including mining Monero and generating spurious ad traffic.
Researchers found after allowing Loapi to run on a test device for two days the constant workload caused the battery to bulge and deformed the phone’s cover.
Do you know all about security? Try our quiz!