- The malware attacks Android Debug Bridge via open TCP port 5555.
- Researchers said its C&C server is linked to the Satori variant of the Mirai botnet.
Security researchers have observed an uptick in scanning activity targeting open ports in Android devices to deploy a possible variant of the infamous Satori and likely ensnare them into a botnet. The open TCP port 5555 has been previously exploited due to vendors shipping Android-based devices with the Android Debug Bridge (ADB) interface left enabled and open to remote connections.
ADB is an Android feature used by developers to remotely communicate with devices for diagnostic and debugging purposes. However, if not properly secured at shipping, ADB could open up the device to malicious attacks.
Trend Micro researchers discovered a new exploit targeting port 5555 after detecting two spikes in activity earlier this month on July 9-10 and July 15.
Suspicious scanning activity
"Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea," researchers said in a blog post. “From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary."
The malware attacks ADB by uploading the payload via the open TCP port 5555 after which the payload deletes itself from the disk and is renamed with a randomly selected name and architecture string attached. The payload downloads the power shell script that, in turn, downloads the next stage binary for several architectures.
The binary gets its own IP address before launching two child processes - one of which is responsible for spreading the malware as a worm. After opening a connection to the command and control (C&C) server, it sends a specially crafted, 71-byte message to the server.
"This payload contains a header with the number of targets and IP packet types to be sent, followed by a list of target IPv4 addresses that are modified by an infected host with a randomly generated offset," researchers said. "Up next are port numbers and sleep times before it waits for a continuation and a random payload length. The malware then sends crafted IP packets with a randomly generated payload to the obtained attack list — possibly as part of a DDoS attack."
Another Satori variant
Researchers also noted that the C&C server is linked to the Satori variant of the Mirai botnet.
"It’s reasonable to believe that the same author was behind this sample and Satori. The important and identifiable strings are encrypted using a simple XOR method," they noted.
However, the latest malware versions seems to be using a less sophisticated string encryption method as compared to older samples that used a combination of byte swap and Base62 encoding.
"The worm function and seeking of other potential targets might mean that the two spikes in activities we detected might be a prelude to another attack that might cause more damage," researchers said. "Perhaps in this instance, the threat actors were testing the effectiveness of their tools and tactics to prepare for a more serious attack."
Poor IoT security
According to Shodan, more than 48,000 IoT systems were found to be vulnerable to ADB exploitations. Not all vulnerable systems are exposed since they are probably hidden behind routers with Network Address Translation (NAT). Still, misconfigurations could lead to these devices becoming accessible manually or via UPnP NAT transversal and vulnerable to exploitation.
“All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength,” researchers said.