Attackers attack open ADB ports to spread malware

Attackers are exploiting IoT devices with open ADB port 5555 to spread malware. 

The new report released by Trend Micro security researchers on Monday said that the ADB port exploit could be used to spread a variant of Satori malware on Android devices. 

An excerpt of the threat was described by Trend Micro: 

“Recently, we found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. In this scenario, the activity involves the command line utility called Android Debug Bridge (ADB), a part of the Android SDK that handles communication between devices that also allows developers to run and debug apps on Android devices. Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

Trend Micro further provided technical analysis on how the exploit works: 

“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary.”

Nearly 48,000 IoT devices are vulnerable to ADB exploits, according to Shodan scan data. However, mitigating controls can minimize exposure, such as hiding devices behind routers with Network Address Translation (NAT). 

Internet of Things (IoT) devices to include smart TVs and multimedia devices, as well as smart phones can be targets for this malware exploit. 

Users should also make sure “ADB (USB) debugging” and “Apps from Unknown Sources” are turned off via Developer Options setting on their mobile device.

Users may also remember the FBI’s cybercrime warnings and guidance to secure IoT devices, such as disabling Universal Plug-and-Play (UPnP) on routers, isolating IoT devices and keeping devices up to date with latest firmware and security updates. 

Related articles

Readers can also check out the following articles related to Satori malware attacks: