Tens of Thousands of Android Devices Are Exposing Their Debug Port
The issue is not new, being first spotted by the team at Qihoo 360 Netlab in February, this year, when they detected an Android worm that was spreading from Android device to Android device, infecting them with a cryptocurrency miner named ADB.Miner. The ADB.Miner worm exploited the Android Debug Bridge (ADB), a feature of the Android OS used for troubleshooting faulty devices. In the default version of the Android OS, the ADB feature is turned off, and users need to manually enable it while connecting their device via a USB connection.
Furthermore, ADB debugging also supports a state named ‘ADB over WiFi’ that lets developers connect to a device via a WiFi connection instead of the default USB cable. The issue is that some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version of their product that landed in users’ hands. Customers using these devices may be unaware that their device is open to remote connections via the ADB interface, normally accessible via TCP port 5555.
This is how the ADB.Miner worm has spread last February, by gaining access to a device via the ADB port, using the Unix shell to install a Monero miner, and then scanning for new devices to infect via port 5555. But last week, security sleuth Kevin Beaumont has re-brought this issue to everyone’s attention once more. In a Medium blog post, Beaumont says that there are still countless Android-based devices still exposed online.