Android cryptomining botnet is the new bad kid on the block

Security researchers are sounding the alarm about a new cryptomining botnet that, admittedly, does not have a catchy name yet. The cryptomining botnet, as Trend Micro’s Jindrich Karasek reports, leverages open ADB (Android Debug Bridge) ports and spreads via SSH. What allows the cryptomining botnet to prey specifically on Android devices is, according to Karasek, the fact that ADB ports do not authenticate by default which, in turn, allows the malicious code to spread to devices that had a prior SSH connection with the infected host.

Karasek gives the specifics about the payload in the Android cryptomining botnet in this excerpt from the report:

The script for a.sh reveals that this attack will choose from three different downloadable miners. This can be seen in the output of the “uname -m” command… The uname –m command, once executed, gets the infected system’s information, such as its manufacturer, hardware details, and processor architecture. The output from this command is used as a variable for determining the miner to use in the attack… The three miners that can be used for this attack are listed below, all of which are delivered by the same URL.

  • http://198[.]98[.]51[.]104:282/x86/bash
  • http://198[.]98[.]51[.]104:282/arm/bash
  • http://198[.]98[.]51[.]104:282/aarch64/bash

To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages, which will help the system support memory pages that are greater than its default size. This ability can be seen in the script as “/sbin/sysctl -w vm.nr_hugepages=128”. This botnet also tries to block its competitor by modifying /etc/hosts… After spreading to other devices connected to the system, it deletes its payload files, removing the traces on the victim host.

While this is not the first cryptomining botnet to be seen in the wild, its ability to form a literal battalion of Android zombie devices is rather concerning. Disabling ADB and also changing default settings should protect you somewhat from becoming a part of the botnet. Being aware of apps that you install should also be a given, but especially in this case as certain apps (according to Trend Micro) can leverage this vulnerability. Finally, there are mobile security applications that detect malicious activity of this specific type that can protect you.

Featured image: Shutterstock

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top