A new cryptocurrency mining malware that infects both Android smartphones and smart TV set-top boxes, dubbed as the ADB.Miner, has been discovered by Wang Hui, a researcher from the security firm 360NetLab. There are around 7,000 infected IP addresses that have been detected by the tech firm, and almost 80 percent of these victims are from China and South Korea. The ADB.Miner takes advantage of an open port 5555, a port that is usually closed in Android devices. However, the Android Debug Bridge (ADB) tool, a software tool that is commonly used to diagnose problems in an Android device, opens this port. The malware cannot open the port by itself, the researcher noted, which means that the port 5555 of affected devices have already been opened before they were infected by the ADB.Miner. After infecting a device with an open port 5555, the malware will then replicate itself and spread to other Android devices that also have an open port. The tech firm noted that the software is capable of doubling every 12 hours.
The security firm was able to collect nine sample files from the malware. One of the sample files, named as the droidbot, has the same code and structure as the SYN scanning module of the Mirai malware. The droidbot code, according to Wang Hui, executes an ADB command that replicates the malware. The tech company noted that the ADB.Miner does not have a Command and Control (C&C) server, and it instead transfers to a single wallet address the cryptocurrency tokens mined in the infected devices.
This is not the first time that a malware used Android devices to mine cryptocurrency. In November 2017, the security firm Trend Micro discovered several apps in the Google Play Store that utilized the handset’s CPU in order to mine cryptocurrencies like Magicoin, Feathercoin, and Vericoin. These apps manage to evade the security measures developed by the Mountain View-based search giant. Some of these apps use a Webview that is set in invisible mode in order to mine on the user’s handsets. Trend Micro also discovered that a number of advertisements on YouTube used the Javascript-based cryptocurrency mining code developed by Coinhive in order to mine Monero. This cryptocurrency, which is resistant to mining by ASICs, can be traded to Bitcoin.
