Botnet Alert: Attackers Potentially Trying to Recruit Unsecure Android Devices Through Open Ports

Rafia Shaikh
android WireX botnet

Last month, a security report revealed that many Android phone makers are shipping devices with Android Debug Bridge (ADB) enabled by default. This exposed user devices to attacks since ADB is used to offer remote communication with devices. Since the Debug Bridge listens on port 5555, attackers could remotely access to install software or execute other functions.

While the feature is designed to offer developers a way to communicate with devices and execute commands, it should only be enabled after a user connects their devices via USB. It now appears that someone is trying to recruit these devices with open 5555 port in an attempt to turn them into a botnet.

Related StoryAnil Ganti
Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports," security researchers at Trend Micro warned. "It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary. It attacks ADB by uploading the payload via TCP port 5555."

Satori botnet tries to infect more Android devices

Security researchers have warned that attackers are targeting port 5555 after observing a spike in activity between July 9 and July 10, followed by a second wave on July 15. The data shows that the first wave of traffic came from China and the US, while the second wave involved Korea.

The problem affects both the Android phones and IoT devices, including smart TVs.

“All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength."

After infecting devices, the malware performs a series of operations, including spreading itself as a worm to further the attack. Researchers also noted that one of Command and Control servers was linked to the Satori variant of the Mirai botnet. "Delving into the GeoIP information of the two IP addresses involved in the activity reveal that they are located in Europe; Spain for 95[.]215[.]62[.]169 and the Netherlands for 185[.]62[.]189[.]149," they wrote.

“It’s reasonable to believe that the same author was behind this sample and Satori."

Trend Micro warns that the worm function and trying to infect other potential targets is worrying since this could translate into other more serious attacks. "Perhaps in this instance, the threat actors were testing the effectiveness of their tools and tactics to prepare for a more serious attack," they wrote. Users are advised to check their devices to see if they have ADB enabled.

  • Head over to Settings > Developer Options
  • Make sure that "ADB (USB) debugging” and “Apps from Unknown Sources” are turned off.

Researchers have also recommended users who believe they may have already been infected to factory reset their devices.

Technical details are available here.

Share this story

Deal of the Day