Recently, security experts spotted the crypto mining malware ADB.miner (Android.CoinMine.15) targeting Amazon Fire TV and Fire TV Stick devices.
The malicious code is active at least since February when researchers at Qihoo 360’s Netlab have spotted the Android mining botnet that targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.
The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.
The Amazon devices hit by the ADB.miner leverages the ADB (Android Debug Bridge) for uninterrupted internet connections it is no surprise that they are now under attack.
Many Amazon Fire TV owners reported through a thread on the XDA forums that they streaming media players have been infected by the malware.
“hi guys ! i have a question i hope someone can help me with. I have a Gen 2 Firestick and for 2 days now this app called “test” keeps popping up at all times, i have no clue why its doing this. I have uninstalled the app and it comes back and ive even tryed to run the app and its tells me the App needs updated to run on my device, look for an updated version on my store.. and yeah the app dont exist on the store.. What is up with this thing?” wrote one of the Amazon Fire TV owners.
Once the malware has infected the device, it will abuse its resources to mine cryptocurrency and disrupts video playback feature.
The infected devices display the official Android logo and a message that states “Test.”
“Infected devices will become very slow to use. Loading apps will take longer than usual. This is because the malware is using 100% of the device’s processor to mine cryptocurrency. A screen that says “Test” with a green Android robot icon will also occasionally appear randomly on infected devices. This screen causes video playback and apps to abruptly stop, making the device difficult to use normally.” states an analysis published on Aftvnews.com.
Reverse engineering the code of the Test app the experts discovered it is a variation of ADB.Miner that opens a single HTML page, containing the CoinHive script, in the Android Webview to mine Monero. Below the code that included in the app.
Amazon Fire TV devices that have developer options disable cannot be infected by the ADB.miner.
It the Amazon device has already been infected it is possible to install the Total Commander app that will remove the ADB.miner.
To discover if your device is infected
Another way to remove the malicious code is to force a factory reset for the device, but If you do not want to factory reset your device install a modified version of the malicious app.
“If you do not want to factory reset your device and/or the malware keeps reappearing because your Fire TV keeps getting reinfected, you can try installing a modified version of the malware that doesn’t actually mine cryptocurrency. An XDA user by the name of innovaciones created this modified version of the malware. When installed, it updates the existing malware to a version that essentially turns off the miner.” concludes aftvnews.com.
(Security Affairs – Amazon Fire TV, ADB.miner)