Android cryptomining botnet is the new bad kid on the block

Security researchers are sounding the alarm about a new cryptomining botnet that, admittedly, does not have a catchy name yet. The cryptomining botnet, as Trend Micro’s Jindrich Karasek reports, leverages open ADB (Android Debug Bridge) ports and spreads via SSH. What allows the cryptomining botnet to prey specifically on Android devices is, according to Karasek, the fact that ADB ports do not authenticate by default which, in turn, allows the malicious code to spread to devices that had a prior SSH connection with the infected host.

Karasek gives the specifics about the payload in the Android cryptomining botnet in this excerpt from the report:

The script for a.sh reveals that this attack will choose from three different downloadable miners. This can be seen in the output of the “uname -m” command... The uname –m command, once executed, gets the infected system’s information, such as its manufacturer, hardware details, and processor architecture. The output from this command is used as a variable for determining the miner to use in the attack... The three miners that can be used for this attack are listed below, all of which are delivered by the same URL.

  • http://198[.]98[.]51[.]104:282/x86/bash
  • http://198[.]98[.]51[.]104:282/arm/bash
  • http://198[.]98[.]51[.]104:282/aarch64/bash

To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128”. This botnet also tries to block its competitor by modifying /etc/hosts... After spreading to other devices connected to the system, it deletes its payload files, removing the traces on the victim host.

While this is not the first cryptomining botnet to be seen in the wild, its ability to form a literal battalion of Android zombie devices is rather concerning. Disabling ADB and also changing default settings should protect you somewhat from becoming a part of the botnet. Being aware of apps that you install should also be a given, but especially in this case as certain apps (according to Trend Micro) can leverage this vulnerability. Finally, there are mobile security applications that detect malicious activity of this specific type that can protect you.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Machine learning security tools: The good guys strike back

With cyberattacks growing in strength and number, it’s good to know there are machine learning…

2 days ago

Amazon Macie: New enhanced version with lower pricing available

AWS has rolled out an enhanced version of its Amazon Macie security service. The new…

2 days ago

Best patch management tools to keep remote devices updated

Administering remote devices can be a headache for IT pros. But with these patch management…

3 days ago

Managing a Red Hat Enterprise Linux network: Quick-start guide

A good understanding of the Red Hat Enterprise Linux network component is key to any…

3 days ago

Microsoft's GitHub account breached by threat actors Shiny Hunters

The new hacking group Shiny Hunters is trying to gain media attention. They’ve certainly accomplished…

3 days ago

Five steps enterprises must take right now to ensure business continuity

Even if your business is surviving during the pandemic, don’t get a false sense of…

4 days ago