A wave of attacks is targeting Android devices with port 5555 open, likely in an attempt to ensnare them into a botnet, Trend Micro warns.
TCP port 5555 is designed to allow management of devices via Android Debug Bridge (ADB), an Android SDK feature that allows developers to easily communicate with devices and to run commands on them or fully control them.
The ADB port is meant to be disabled on commercial devices and to require initial USB connectivity to be enabled. Last month, however, security researcher Kevin Beaumont revealed that many devices
ship with ADB enabled, which leaves them exposed to attacks.
Scanning attacks specifically targeting the ADB port have been seen since January. In early 2018, a worm leveraging a modified version of Mirai’s code was searching for devices with open port 5555 to spread
for crypto-mining purposes.
Now, Trend Micro says a new exploit is targeting port 5555. The security firm has observed a spike in activity on July 9-10, when network traffic came mainly from China and the US, followed by a second wave on July 15, primarily involving Korea.
“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary,” Trend Micro
explains.
