360 security researchers have published two reports that about 7,000 Android devices infected with mining worms ADB.Miner. Infected devices have opened the 5555 port, some infected devices to confirm the TV box, but not sure if there is Android phone is infected. The victims are mainly located in China and South Korea.
According to the report, about 24 hours ago, starting from 2018-02-03 at 15:00, a set of malicious code began to spread rapidly by the worm.
- Spread of time : the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the 2018-02-03 and is still continuing to grow.
- Infected port : 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened
- Worm infection : Malicious code will continue to scan the 5555 adb port to complete its own dissemination
- Infected device model : Currently see the device models to see, most of them are smart phones, as well as smart TV set-top boxes
- The number of infected equipment : 2.75 ~ 5k, mainly in China (~ 40%) and South Korea (~ 30%)
The infected device will initiate a TCP 5555 adb debug port scan and attempt to execute the adb command to copy itself to a newly infected machine whose core function is to exploit the stolen XMR tokens for computing resources. The worm’s port detection part draws on MIRAI’s SYN scanning module to improve port detection efficiency.
Reference: blog.netlab.360.com
