Among this botnet’s most common victims are Android set-top boxes manufactured by HiSilicon, Cubetek, and QezyMedia, cyber-security firm WootCloud said today.
Another IoT botnet targeting ADB
The attacks aren’t using a vulnerability in the Android operating systems, but are exploiting a configuration service that has been left enabled and unprotected on some set-top boxes installations.
Named the Android Debug Bridge, or ADB, this is a standard feature of the Android OS. It’s purpose is to allow manufacturers and app developers access to the Android OS via a command-line interface. This ADB terminal can be accessed in three ways, via a wired connection, WiFi, or over a network or the internet (via a device’s port 5555).
Manufacturers often use the ADB service to configure or run tests on Android-based devices. In most production lines, companies disable the service before shipping the device to customers.
However, in the past few years, as Android devices have become more and more popular, many vendors fail or forget to disable this service, leaving devices exposed to remote attacks.
In the past, there have been quite a few IoT botnets that have targeted Android-based smartphones and IoT devices where ADB has been left enabled.
New Ares botnet
While there’s a constant hum of IoT botnets that are continually scanning the internet for Android devices with open ADB ports, a new one has joined the fold in the last month.
Named Ares, this botnet operates on the skeleton of the infamous Mirai IoT malware, and has been one of the most active IoT botnets last month.
In a report published today and shared with ZDNet, WootCloud Labs said Ares operates by randomly scanning the internet for Android devices with open ADB ports.
When it finds a vulnerable device, the Ares operators download a version of the Ares malware on the exposed device, which then acts as another scanning point for the Ares operators.
Ares-infected devices will scan for both other Android systems with open ADB ports, but also for devices running Telnet services, specific to Linux-based servers and smart devices.
These attacks started in July, Srinivas Akella, Founder & Chief Technology Officer of WootCloud, told ZDNet in an email today. The exec also doesn’t exclude the possibility that other types of Android systems were also infected.
A problem to plague users and enterprises for years
Ares functionality is largely unknown, but being based on the older Mirai, it’s expected that the malware can launch DDoS attacks and proxy traffic for attackers.
As a result, any infected Android devices, especially those installed in enterprise environments, can become points of entry in a breach. Companies are advised to implement firewalls or other security solutions, or segment local networks, so any infected device doesn’t have access to critical systems.
“To protect against the ADB being misused in these cases where it is left enabled, routers can be configured to block the ingress and egress network traffic to TCP port 5555, which is the ADB port,” Akella said.
This advice is also valid for home users who can filter incoming traffic on their local routers. But the easiest fix, even if the victim is an enterprise or home user, is disabling ADB on all the local Android-based devices.
Unforutnately, disabling ADB on some set-top boxes (STB) may not be as easy as it sounds.
“Whether or not a home user can disable the ADB port depends on the design/if the vendor provides an option to disable the ADB via the GUI in STBs,” Akella told ZDNet.
“If not, then home users will need to have technical acumen to disable the ADB functionality either by setting up their routers to block traffic or by logging in to the device and disabling ADB services on command prompt.”
Sadly, this may be out of the technical reach of the vast majority of Android and STB users, which means most of these devices will remain open to attacks until they’re decommissioned.