The security community raised the alarm regarding a serious issue last week —that of Android devices shipping with their debug port open to remote connections.
The issue is not new, being first spotted by the team at Qihoo 360 Netlab in February, this year, when they detected an Android worm that was spreading from Android device to Android device, infecting them with a cryptocurrency miner named ADB.Miner.
The ADB.Miner worm exploited the Android Debug Bridge (ADB), a feature of the Android OS used for troubleshooting faulty devices.
In the default version of the Android OS, the ADB feature is turned off, and users need to manually enable it while connecting their device via a USB connection. Furthermore, ADB debugging also supports a state named “ADB over WiFi” that lets developers connect to a device via a WiFi connection instead of the default USB cable.
The issue is that some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version of their product that landed in users’ hands.
Customers using these devices may be unaware that their device is open to remote connections via the ADB interface, normally accessible via TCP port 5555.
Furthermore, because ADB is a troubleshooting utility, it also grants the user access to a slew of sensitive tools, including a Unix shell.
This is how the ADB.Miner worm has spread last February, by gaining access to a device via the ADB port, using the Unix shell to install a Monero miner, and then scanning for new devices to infect via port 5555.
But last week, security sleuth Kevin Beaumont has re-brought this issue to everyone’s attention once more. In a Medium blog post, Beaumont says that there are still countless Android-based devices still exposed online.
“During research for this article, we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea,” Beaumont said.
“This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’— the administrator mode — and then silently install software and execute malicious functions,” Beaumont added.
Beaumont’s blog post raised the community’s interest in this topic once more. For starters, spurred by Beaumont’s work, IoT search engine Shodan has added support for scanning devices with ADB interfaces left exposed online.
Update: Shodan have now added support for Android Debug Bridge, and crawlers are now running. Will take a while to update. pic.twitter.com/rlU0I3XzNm
— Kevin Beaumont (@GossiTheDog) June 9, 2018
Since adding support last week, the number of Android devices running an exposed ADB interface —indexed by Shodan— has grown from around 1,100 on Friday to over 15,600 on Monday, and the number is expected to grow as Shodan indexes new devices in the coming days.
Furthermore, fellow security researchers have also confirmed that the ADB.Miner worm spotted in February by Qihoo 360 Netlab is still alive and kicking.
@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I’ve been fingerprinting on February. It seems that it lives and it feels pretty well. I’ve checked out two days (4th, 5th of June) – about 40 000 unique IP addresses. I’ll provide some deep analysis soon. pic.twitter.com/HZcTkMPW5o
— Piotr Bazydło (@chudyPB) June 8, 2018
Qihoo 360’s NetworkScan Mon also confirms that scanning activity on port 5555 never stopped, with nearly 30 million scans recorded in the past month alone.
Making matters worse, there is also a Metasploit module for exploiting and rooting Android devices via port 5555 in an automated and scripted manner, making this misconfiguration issue a clear and present danger for all owners of Android devices.
The best advice at this moment is for Android device owners to check if their vendor has left the ADB interface enabled on their device. This tutorial should help users with advice on enabling or disabling the ADB interface (referred to USB Debugging in most Android OS settings menus).
“These are not problems with Android Debug Bridge itself,” Beaumont said. “ADB is not designed to be deployed in this manner.”
Beaumont also suggests that mobile operators should block inbound connections going to port 5555 to users’ devices, which would render most Internet-wide scans useless.