Android cryptomining botnet is the new bad kid on the block

Security researchers are sounding the alarm about a new cryptomining botnet that, admittedly, does not have a catchy name yet. The cryptomining botnet, as Trend Micro’s Jindrich Karasek reports, leverages open ADB (Android Debug Bridge) ports and spreads via SSH. What allows the cryptomining botnet to prey specifically on Android devices is, according to Karasek, the fact that ADB ports do not authenticate by default which, in turn, allows the malicious code to spread to devices that had a prior SSH connection with the infected host.

Karasek gives the specifics about the payload in the Android cryptomining botnet in this excerpt from the report:

The script for reveals that this attack will choose from three different downloadable miners. This can be seen in the output of the “uname -m” command... The uname –m command, once executed, gets the infected system’s information, such as its manufacturer, hardware details, and processor architecture. The output from this command is used as a variable for determining the miner to use in the attack... The three miners that can be used for this attack are listed below, all of which are delivered by the same URL.

  • http://198[.]98[.]51[.]104:282/x86/bash
  • http://198[.]98[.]51[.]104:282/arm/bash
  • http://198[.]98[.]51[.]104:282/aarch64/bash

To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128”. This botnet also tries to block its competitor by modifying /etc/hosts... After spreading to other devices connected to the system, it deletes its payload files, removing the traces on the victim host.

While this is not the first cryptomining botnet to be seen in the wild, its ability to form a literal battalion of Android zombie devices is rather concerning. Disabling ADB and also changing default settings should protect you somewhat from becoming a part of the botnet. Being aware of apps that you install should also be a given, but especially in this case as certain apps (according to Trend Micro) can leverage this vulnerability. Finally, there are mobile security applications that detect malicious activity of this specific type that can protect you.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

10 hours ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

14 hours ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

17 hours ago

An overview of PCI DSS and a guide to compliance

PCI DSS is the globally recognized security standard for any business that processes credit card payments. Are you in compliance…

1 day ago

Quick tip: Runbook script to start and stop your Azure Firewall

In this blog post, we are going over a simple script that can be used as an Azure runbook to…

2 days ago

Private 5G networks: Everything you need to know

We are on the verge of the rollout of public 5G networks. And following close behind is the reality of…

2 days ago