Open Android Port Target of Attack

Monday, July 23, 2018 @ 03:07 PM gHale

Exploitation of open ports on devices has been an on-going problem for Internet of Things (IoT) users. And port 5555 on Android devices is no different.

That is because a botnet is searching around looking for the open port, said researchers at Trend Micro.

RELATED STORIES
Android July Security Patches
Android P Compiler-Based Mitigations Expanded
Android Trojan for Rent
Android RAT Developed from Scratch

Attackers are trying to get into TCP port 5555, which is designed to allow management of devices via Android Debug Bridge (ADB), an Android Software Development Kit (SDK) feature that allows developers to easily communicate with devices and to run commands on them or fully control them.

The ADB port should be disabled on commercial devices.

The catch is, though, a good chunk of the devices end up shipped with ADB enabled, much to the surprise of end users.

“Recently, we found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. In this scenario, the activity involves the command line utility called Android Debug Bridge (ADB), a part of the Android SDK that handles communication between devices that also allows developers to run and debug apps on Android devices. Our data shows that the first wave of network traffic came mainly from China and the U.S., while the second wave primarily involved Korea,” said Trend Micro researchers Hubert Lin, Lorin Wu, and Vit Sembera in a post.

“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports,” the researchers said. “It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary.”

After infecting devices, the malware targets a series of processes for termination and launches its own child processes, one of which is responsible for spreading the malware as a worm. It also opens a connection to the command and control (C&C) server.

The payload also contains a header with a number of targets and IP packet types to be sent, which could suggest the malware was designed to launch distributed denial of service (DDoS) attacks (it can send UDP, TCP SYN, and TCP ACK packets (with a random payload of random length), UDP with random payload tunneled through Generic Routing Encapsulation (GRE), and TCP SYN), the researchers said.

To mitigate the issue, “users who are comfortable changing the settings of their mobile device can go to settings, select “Developer Options” and ensure that ‘ADB (USB) debugging’ and ‘Apps from Unknown Sources’ are turned off,” the researchers said. “The latter setting is turned off by default but should be double-checked to make sure. If the user suspects that their device is already infected, doing a factory reset can clear the payload.”



Leave a Reply

You must be logged in to post a comment.