A number of Android devices worldwide are apparently shipping with their Android Debug Bridge constantly listening for a network connection on port 5555, and hackers are already catching on and forcing unwitting devices to mine cryptocurrency for them. These devices are accessed via ADB, which means that hackers can run whatever commands they want, and if a root exploit exists for a device, they can use it. This essentially means that all of the devices being accessed with this exploit are in very real danger of being remotely rooted, which comes with its own set of issues, and made to do just about anything for the hackers, up to and including implementing changes in their system code.
Android Debug Bridge normally has to be enabled by the user first, by going into their device’s Developer Settings. These devices, however, are not only shipping with USB debugging enabled, but also ADB over network. To be clear, this is not the way that ADB is supposed to be implemented. This allows anybody to scan for open connections on port 5555, and send each open port they find a set of ADB instructions. Compromised devices will obey, and anything else will simply throw up an error and continue operating as normal. Compromised devices are found worldwide, but tend to be focused in China. To check for compromised devices on your network, you can manually scan your network for connections on port 5555, and the method and tools for this differ vastly depending on what device and OS you’re using. If you find that you own a compromised Android device and you can get into its Settings menu, go into About Device or the equivalent subheading, then find your Build Number and tap on it seven times to enable Developer Settings. Go into the new menu, and disable ADB in order to block the exploit.
ADB exploits are uncommon, since the standard is normally controlled entirely by the device’s owner, i.e. user. Cryptocurrency mining exploits, however, are far more common, and can be implemented in a number of ways that don’t all necessarily involve a high degree of client intrusion. These can be served up via drive-by web pages with JavaScript instructions, embedded code in ads on otherwise legitimate pages, and hidden code in seemingly benign apps, to name a few.
