Security News Tens of Thousands of Android Devices Are Exposing Their Debug Port (accessible as 'root')

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The security community raised the alarm regarding a serious issue last week —that of Android devices shipping with their debug port open to remote connections.

The issue is not new, being first spotted by the team at Qihoo 360 Netlab in February, this year, when they detected an Android worm that was spreading from Android device to Android device, infecting them with a cryptocurrency miner named ADB.Miner.

The ADB.Miner worm exploited the Android Debug Bridge (ADB), a feature of the Android OS used for troubleshooting faulty devices.

In the default version of the Android OS, the ADB feature is turned off, and users need to manually enable it while connecting their device via a USB connection. Furthermore, ADB debugging also supports a state named "ADB over WiFi" that lets developers connect to a device via a WiFi connection instead of the default USB cable.
Root cause: ADB interface left open to remote connections

The issue is that some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version of their product that landed in users' hands.
Customers using these devices may be unaware that their device is open to remote connections via the ADB interface, normally accessible via TCP port 5555.
Furthermore, because ADB is a troubleshooting utility, it also grants the user access to a slew of sensitive tools, including a Unix shell.

This is how the ADB.Miner worm has spread last February, by gaining access to a device via the ADB port, using the Unix shell to install a Monero miner, and then scanning for new devices to infect via port 5555.

"This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’— the administrator mode — and then silently install software and execute malicious functions," Beaumont added.

Beaumont's blog post raised the community's interest in this topic once more. For starters, spurred by Beaumont's work, IoT search engine Shodan has added support for scanning devices with ADB interfaces left exposed online.
 
F

ForgottenSeer 58943

This has serious implications for localized attacks and command of Android devices.

If you have a firewall on your Android block TCP port 5555. In addition, based on the above link, we should ALL be testing our Android devices and disabling this if it is enabled.

Also disable port 5555 on your hardware firewall/UTM appliance. That'll only protect you locally, once you connect to an external WiFi it's back on again.

Note: Once again, using a VPN would protect you from this. VPN will deny inbound connectivity to your device from externally created sessions and mask your internal subnet from external entities. These days, it's almost suicide to not use a VPN with your Android. Seriously..
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
This has serious implications for localized attacks and command of Android devices.

If you have a firewall on your Android block TCP port 5555. In addition, based on the above link, we should ALL be testing our Android devices and disabling this if it is enabled.

Also disable port 5555 on your hardware firewall/UTM appliance. That'll only protect you locally, once you connect to an external WiFi it's back on again.

Note: Once again, using a VPN would protect you from this. VPN will deny inbound connectivity to your device from externally created sessions and mask your internal subnet from external entities. These days, it's almost suicide to not use a VPN with your Android. Seriously..
Thanks, Sly. So VPN wins again.
 
F

ForgottenSeer 58943

Thanks, Sly. So VPN wins again.

I've come to the conclusion that I cannot adequately secure an Android Device without either;

1) Rooting it and ripping it's guts out. (which has it's own issues..)
or
2) Blocking all functionality, using it as a local device in Airplane Mode. (which essentially makes it a Gameboy or Etch-a-sketch)
or
3) Using a secured, quality, no logging VPN with AES256 DE, SHA-256, RSA2048 or better HS.

Also I recommend a PHYSICAL microphone disabling microcircuit device. Essentially it tells your phone you have a microphone installed then has microcircuits to mute it. They're listening in on phones. Trigger words are now virtually everything you say and they've voice printed about 35 million or more people.

cee034506d7f4611d5fed3cb14619e5a_original.jpg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top