“This attack takes advantage of the way open ADB ports don’t have authentication by default, similar to the Satori botnet variant. This bot’s design allows it to spread from the infected host to any system that has had a previous SSH connection with the host,” the researchers wrote.
“The use of ADB makes Android-based devices susceptible to malware. We detected activity from this malware in 21 different countries, with the highest percentage found in South Korea.”
The attack vector is one that has been abused before. Last year Juniper Threat Labs identified some of the vendors that had shipped ADB enabled.
“The number of publicly vulnerable devices has declined from about 40,000 devices one year ago to about 30,000 devices today. Most of the remaining vulnerable devices are located in Korea, Taiwan, Hong Kong and China,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
“It should be noted that some of the vulnerable devices are set-top boxes used for IPTV, not mobile phones. It is our speculation that most of the phones are, or become, vulnerable due to enabling the Android Debug Bridge during device rooting, a process which allows a locked down device to move freely between service providers.”
Because Android devices are beholden to their carriers or device manufacturers, Sam Bakken, senior product marketing manager, OneSpan, said it can be difficult for the general user to keep devices secure.
“Even if they wanted to harden their device with security updates or more secure configurations they simply can’t. The general layperson is becoming more aware of security and privacy issues as it relates to the mobile devices and apps they use,” Bakken said.
“Security is becoming a more important criterion in consumer decisions about which devices and apps they will and will not use. Savvy organizations are responding, building security into their mobile apps with technologies, such as app shielding and other in-app protections. This not only protects a developer’s intellectual property/app but also provides at least one safe haven for their users so they can rest easy knowing at least their usage of that one app is secure and protected.”