Android glitched logo

The security community raised the alarm regarding a serious issue last week —that of Android devices shipping with their debug port open to remote connections.

The issue is not new, being first spotted by the team at Qihoo 360 Netlab in February, this year, when they detected an Android worm that was spreading from Android device to Android device, infecting them with a cryptocurrency miner named ADB.Miner.

The ADB.Miner worm exploited the Android Debug Bridge (ADB), a feature of the Android OS used for troubleshooting faulty devices.

In the default version of the Android OS, the ADB feature is turned off, and users need to manually enable it while connecting their device via a USB connection. Furthermore, ADB debugging also supports a state named "ADB over WiFi" that lets developers connect to a device via a WiFi connection instead of the default USB cable.

Root cause: ADB interface left open to remote connections

The issue is that some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version of their product that landed in users' hands.

Customers using these devices may be unaware that their device is open to remote connections via the ADB interface, normally accessible via TCP port 5555.

Furthermore, because ADB is a troubleshooting utility, it also grants the user access to a slew of sensitive tools, including a Unix shell.

This is how the ADB.Miner worm has spread last February, by gaining access to a device via the ADB port, using the Unix shell to install a Monero miner, and then scanning for new devices to infect via port 5555.

Over 15,600 devices are currently exposing their ADB port

But last week, security sleuth Kevin Beaumont has re-brought this issue to everyone's attention once more. In a Medium blog post, Beaumont says that there are still countless Android-based devices still exposed online.

"During research for this article, we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea," Beaumont said.

"This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’— the administrator mode — and then silently install software and execute malicious functions," Beaumont added.

Beaumont's blog post raised the community's interest in this topic once more. For starters, spurred by Beaumont's work, IoT search engine Shodan has added support for scanning devices with ADB interfaces left exposed online.

Since adding support last week, the number of Android devices running an exposed ADB interface —indexed by Shodan— has grown from around 1,100 on Friday to over 15,600 on Monday, and the number is expected to grow as Shodan indexes new devices in the coming days.

ADB.Miner still very much alive

Furthermore, fellow security researchers have also confirmed that the ADB.Miner worm spotted in February by Qihoo 360 Netlab is still alive and kicking.

Qihoo 360's NetworkScan Mon also confirms that scanning activity on port 5555 never stopped, with nearly 30 million scans recorded in the past month alone.

Making matters worse, there is also a Metasploit module for exploiting and rooting Android devices via port 5555 in an automated and scripted manner, making this misconfiguration issue a clear and present danger for all owners of Android devices.

The best advice at this moment is for Android device owners to check if their vendor has left the ADB interface enabled on their device. This tutorial should help users with advice on enabling or disabling the ADB interface (referred to USB Debugging in most Android OS settings menus).

"These are not problems with Android Debug Bridge itself," Beaumont said. "ADB is not designed to be deployed in this manner."

Beaumont also suggests that mobile operators should block inbound connections going to port 5555 to users' devices, which would render most Internet-wide scans useless.

Related Articles:

New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise

Cryptojacking Android Apps Continue To Plague Google Play Store