Thousands of Android devices leave debug port 5555 exposed

Tens of thousands of Android devices have exposed debug port 5555 wide open to the internet.

The debug feature, Android Debug Bridge (ADB), is used by developers to remotely connect to Android devices and execute commands. However, vendors have been shipping some products with ADB enabled, leaving the critical port left wide open and unsecured, according to security researcher Kevin Beaumont in a blog post last week. 

Additionally, Android users have also been rooting their devices, leaving their devices even more exposed to vulnerabilities and attacks.

Beaumont analyzed the threat by first discovering via Shodan, an IoT search engine, how many devices were listening on port 5555. Over 82,000 devices were discovered, most of them in China.

He then used Rapid7 Metasploit’s ‘adb_server_exec’ module to remotely probe the devices and find more detailed information such as make and model. 

To make matters worse, a network worm has been exploiting ADB for months. Qihoo 360’s Netlab  first warned back in February of a massive increase in scanning for port 5555, leading to subsequent malware infections of mostly Android smart phones and smart TVs.

360 published research concerning a mining botnet dubbed “ADB.Miner” that used the Android ADB to rapidly spread using a modified version of Mirai’s code.

Organizations should scan their internal and external networks for devices with open port 5555 and make sure ADB is disabled.

Finally, vendors should be extra diligent to ensure ADB is disabled prior to shipping to users and avoid an otherwise “Root Bridge” issue exposing end-users to attacks.