In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.
Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.
The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,
“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”
These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.
In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.
According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”
The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server, then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.
It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.
The Trend Micro researchers offer a few suggestions to reduce your risk:
The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.