Monero Mining Botnet Infects Thousands of Android Devices in a Matter of Hours

At the moment, the value of most of the popular cryptocurrencies is going down, but it's still fairly high compared to where they were about a year ago. The cryptocurrency mania that we've observed over the last few months has also taken the cybercriminals by storm, and, as you probably know, we've seen quite a few attacks in which devices belonging to unsuspecting users started mining digital money for the crooks. On Saturday, Chinese security company 360 Netlab spotted the next in a long line of mining tools that generate a cryptocurrency called Monero. It's fair to say that it's spreading like wildfire.

The name of the malware is ADB.Miner, and it affects Android devices. This is bad news for users of Google's mobile operating system because while a miner could put a lot of strain on your computer's CPU and GPU, it's unlikely to cause any physical damage. As the Loapi trojan showed us about two months ago, however, when the mining takes place on a smartphone, the outcome could be a lot more severe.

Unlike Loapi that fooled users into thinking that it's an app that delivers adult content, ADB.Miner doesn't try to deceive the victims in any way. In fact, the new miner can be installed and run on a device without any user interaction whatsoever.

ADB.Miner is named after the ADB debugging interface. ADB stands for Android Debug Bridge, and it's a tool that lets technicians communicate with an Android device from a PC or a laptop. ADB can be used both through a USB cable and through Wi-Fi via port 5555. That's the port the ADB.Miner looks for when it's expanding the network of cryptocurrency mining devices. The propagation process is completely automated, and it works without a Command & Control server (C&C) which means that taking the botnet down won't be an easy task. ADB.Miner's authors didn't develop the clever propagation module from scratch, though.

In fact, after analyzing the miner closely, Netlab's experts saw that ADB.Miner uses exactly the same scanning and spreading tool as the infamous Mirai. We all know how quickly Mirai spread, and we all remember how huge its impact was. In theory, despite using the same scanner, ADB.Miner should have a lot more problems propagating.

While Mirai was targeting all sorts of insecure Internet-of-Things devices that were left with their default passwords and all ports opened, ADB.Miner can hit only one operating system through a single port. And by default, that port is closed on Android gadgets.

Indeed, out of the box, Android's debugging feature should be disabled, but it would appear that for many devices, it's not. Netlab started monitoring the botnet on January 31, and by February 5, they had already seen more than 7,000 infections.

This is certainly an impressive number, especially considering the short timespan, but the hackers will likely want to distribute the miner to quite a few more devices. At the time of writing, the Monero (XMR) wallet associated with the attack has received no payments and has a pending balance of just over 0.001 XMR which equates to $0.20.

Whether the crooks will be able to infect more people and make some actual money is for time to tell. One thing is certain, however – you definitely don't want to have ADB.Miner running on your device, so check Android's settings and make sure that the debugging feature has been turned off.