Crypto-mining Botnets invade Android Devices

Researchers at Trend Micro have discovered a new cryptocurrency-mining malware affecting Android devices across 21 countries, including the US, used to take control of devices and add them to a botnet. This botnet is propagated by abusing open Android Debug Bridge (ADB) Wi-Fi interface and SSH (secure shell) to connect to vulnerable known hosts. At the beginning of the attack chain, an IP address of 45[.]67[.]14[.]179 connects to the Android device using the ADB command shell to begin searching for possible hosts, including Internet of Things (IoT) devices, followed by a ‘wget’ command which begins the malware download. Once the download is complete, the malware will modify the device’s hosts file to block competing miners. ADB ports are usually disabled by default, though some devices are distributed with this feature enabled. The NJCCIC suggests Android users disable the ADB feature and conduct a security scan of your device. For technical details please read the Trend Micro blog and ZDNet article.