Fbot pushes out cryptomining malware
Fbot spreads by scanning for devices with an open port 5555, used by the ADB (Android Debug Bridge) service on Android, and then retrieving a script via the ADB interface.
One of the script's functions is to uninstall 'com.ufo.miner' malware. Another is to download the main payload, Fbot, which comes embedded with details on contacting the command and control (C2) server. The third function is to self-destruct.
Fbot appears to have a positive impact on a system previously infected with com.ufo.miner, as it looks for processes (SMI, RIG, XIG) associated with cryptomining activity and kills them.