Coindesk Logo

TrendMicro Detects Crypto Mining Malware Affecting Android Devices

TrendMicro Detects Crypto Mining Malware Affecting Android Devices

TrendMicro Detects Crypto Mining Malware Affecting Android Devices

The botnet enters through the Android Debug Bridge port and spreads through SSH.

The botnet enters through the Android Debug Bridge port and spreads through SSH.

The botnet enters through the Android Debug Bridge port and spreads through SSH.

AccessTimeIconJun 23, 2019, 10:30 PM
Updated Aug 18, 2021, 1:05 PM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A new cryptocurrency-mining botnet has been detected exploiting Android Debug Bridge ports, a system designed to resolve app defects installed on a majority of Android phones and tablets.

The botnet malware, as reported by Trend Micro, has been detected in 21 countries and is most prevalent in South Korea.

The attack takes advantage of the way open ADB ports don’t require authentication by default, and once installed is designed to spread to any system that has previously shared an SSH connection. SSH connections connect a wide range of devices – everything from mobile to Internet of Things (IoT) gadgets – meaning a lot of products are susceptible.

"Being a known device means the two systems can communicate with each other without any further authentication after the initial key exchange, each system considers the other as safe," the researchers say. "The presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections."

It begins with an IP address.

45[.]67[.]14[.]179 arrives through the ADB and uses the command shell to update the working directory to "/data/local/tmp,” as .tmp files often have default permission to execute commands.

Once the bot determines its entered a honeypot, it uses the wget command to download the payload of three different miners, and curl if wget is not present in the infected system.

The malware determines which miner is best suited to exploit the victim depending on the system’s manufacturer, architecture, processor type, and hardware.

An additional command, chmod 777 a.sh, is then executed to change the permission settings of the malicious drop. Finally, the bot conceals itself from the host using another command, rm -rf a.sh*, to delete the downloaded file. This also hides the trail of where the bug originated from as it spreads to other victims.

Researchers examined the invading script and determined the three potential miners that can be used in the attack – all delivered by the same URL – are:

http://198[.]98[.]51[.]104:282/x86/bash

http://198[.]98[.]51[.]104:282/arm/bash

http://198[.]98[.]51[.]104:282/aarch64/bash

They also found the script enhances the host’s memory by enabling HugePages, which enables memory pages that are greater than its default size, to optimize mining output.

If miners are already found using the system the botnet attempts to invalidate their URL and kill them by changing the host code.

Pernicious and malicious cryptomining drops are continually evolving new ways to exploit their victims. Last summer, Trend Micro observed another ADB-exploiting that they dubbed the Satoshi Variant.

Outlaw, was spotted in the past weeks spreading another Monero mining variant across China through brute-force attacks against servers. At the time researchers hadn’t determined whether the botnet had begun mining operations, but found an Android APK in the script, indicating Android devices may be targeted.

Image via Shutterstock.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.