A new exploit targeting Android devices with open ADB port 5555 to spread malware through command line troubleshooting utility called Android Debug Bridge (ADB) which allows developers to debug apps on the Android devices.
The port generally shut down on the android device and user needs to need to turn it on manually while connecting their device through USB. Attackers trying to exploit the devices with port 5555 open and turn them into a botnet.
Security researchers from Trend Micro spotted suspicious spikes of a new exploit targeting port 5555 on July 9-10 and July 15. The first wave of traffic from China and the US, the second wave from Korea.
Multi-Stage Attack Satori
The malware spreads through scanned ADB ports, the first stage of the script is to establish a connection with the target system and download the two stage 2 shell scripts “adbs” and “adbs2″.
The 2 Stage two shell scripts download the stage 3 binary by using different download methods, the first one uses curl and the second one BusyBox.
With further analysis of downloaded binaries and the C&C server it connected, researchers linked to the Satori variant of the Mirai botnet. The C&C servers located in Spain for 95[.]215[.]62[.]169 and the Netherlands for 185[.]62[.]189[.]149.
Malware version is less sophisticated, it uses the combination of byte swap and Base62 encoding. It appears the attackers testing their tools to launch a serious attack.
” All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength.”
Satori is a variant of the infamous Mirai botnet, it was first discovered on 2017-11-22. Like Mirai botnet, Satori won’t use brute-force, instead, it uses exploits to take control of the devices.
Users are advised to check if they have ADB enabled. Settings > Developer Options and make sure that you have turned off “ADB (USB) debugging” and “Apps from Unknown Sources”.