- Feb 4, 2016
- 2,520
The security community raised the alarm regarding a serious issue last week —that of Android devices shipping with their debug port open to remote connections.
The issue is not new, being first spotted by the team at Qihoo 360 Netlab in February, this year, when they detected an Android worm that was spreading from Android device to Android device, infecting them with a cryptocurrency miner named ADB.Miner.
The ADB.Miner worm exploited the Android Debug Bridge (ADB), a feature of the Android OS used for troubleshooting faulty devices.
In the default version of the Android OS, the ADB feature is turned off, and users need to manually enable it while connecting their device via a USB connection. Furthermore, ADB debugging also supports a state named "ADB over WiFi" that lets developers connect to a device via a WiFi connection instead of the default USB cable.
Root cause: ADB interface left open to remote connections
The issue is that some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version of their product that landed in users' hands.
Customers using these devices may be unaware that their device is open to remote connections via the ADB interface, normally accessible via TCP port 5555.
Furthermore, because ADB is a troubleshooting utility, it also grants the user access to a slew of sensitive tools, including a Unix shell.
This is how the ADB.Miner worm has spread last February, by gaining access to a device via the ADB port, using the Unix shell to install a Monero miner, and then scanning for new devices to infect via port 5555.
"This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’— the administrator mode — and then silently install software and execute malicious functions," Beaumont added.
Beaumont's blog post raised the community's interest in this topic once more. For starters, spurred by Beaumont's work, IoT search engine Shodan has added support for scanning devices with ADB interfaces left exposed online.