Two IoT botnets - Fbot and Trinity - have reportedly been spotted engaged in a turf war for control over thousands of vulnerable Android devices. Both botnets aim to gain control of vulnerable Android devices and mine for cryptocurrencies.
Fbot is believed to a variant of the Satori botnet, which itself is a Mirai variant. When it was first discovered in September 2018, many security experts deemed it to be a “vigilante” botnet, as it deleted cryptominers from infected Android systems.
Meanwhile, Trinity is believed to be an iteration of the ABD.Miner botnet. Like its predecessor, Trinity is designed to infect systems to mine for cryptocurrencies and look for ways to spread to other devices.
Fbot and Trinity are reportedly targeting Android devices, specifically those devices on which the Android Debug Bridge (ADB) port 555 has been left publicly exposed online by the devices’ owners. Although most Android devices have ADB disabled, there still exist thousands of devices which have ADB activated - either accidentally or by the devices’ manufacturers.
On any given day, around 30,000 to 35,000 Android devices can be found with exposed ADB ports, ZDNet reported. It appears that not just security experts but cybercriminals too are aware of these numbers. More and more botnet operators are now allegedly targeting Android devices with exposed ADB ports - not just to mine for cryptocurrencies but also to conduct other malicious activities like steal sensitive data, spy on victims and more.
The turf war between Fbot and Trinity indicates how valuable such unsecured Android devices are to cybercriminals. Users are advised to disable ADB port 5555 to stay safe from such botnet attacks.