A network worm has surfaced on Android devices that exploits Android Debug Bridge (ADB) feature of the mobile OS – a feature that is enabled by default by phone manufacturers.
Security researcher Kevin Beaumont revealed this issue in a blog post stating that ADB is completely unauthenticated and thousands of Android devices connected to the internet are currently being exploited through this vulnerability.
How does the exploitation take place?
Hardware manufacturers ship their products with Android Debug Bridge left enabled, and the service listens to TCP port 5555 through which anyone can connect to a device over the internet.
“However, to enable it — in theory — you have to physically connect to a device using USB and first enable the Debug Bridge,” says Kevin.
Given that ADB is a troubleshooting utility, it allows a user to access several sensitive tools, including a Unix shell. Exploiting this very feature, a cryptocurrency miner called ADB.Miner worm spread to several devices in February. It could scan for new devices to infect by using port 5555.
The risks at stake
According to Kevin, there are thousands of Android-based devices still exposed online. Anybody connected to a device running ADB can execute commands remotely.
“This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’ — the administrator mode — and then silently install software and execute malicious functions.”
ADB.Miner is still active
The ADB.Miner worm that was first spotted in February by Qihoo 360 Netlab is very much alive, and the scanning activity on port 5555 hasn’t yet stopped. Millions of scans recorded in the last month itself.
“Using data from Qihoo 360’s Netlab – which features extracts from Netflow data in ISPs and transit providers – we can see massive amounts of port 5555 traffic arriving live.” Kevin added.
@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I’ve been fingerprinting on February. It seems that it lives and it feels pretty well. I’ve checked out two days (4th, 5th of June) – about 40 000 unique IP addresses. I’ll provide some deep analysis soon. pic.twitter.com/HZcTkMPW5o
— Piotr Bazydło (@chudyPB) June 8, 2018
The solution
Kevin advises Android device owners to disable the ADB interface immediately. “These are not problems with Android Debug Bridge itself,” said Kevin. “ADB is not designed to be deployed in this manner.”
He also added that vendors should not ship products with Android Debug Bridge enabled over a network because it leads to the creation of a Root Bridge – a situation where anybody can misuse devices.
