ADB.Miner propagating through open diagnostic test ports

Over the past 48 hours, more than 7,000 Android devices have been infected by worm-like malware designed to mine cryptocurrency, security researchers have warned.

In what’s thought to be the first known use of Mirai code in an Android botnet, the malware – dubbed ‘ADB.Miner’ – was found to be aggressively spreading through Android devices over the weekend.

According to researchers at Qihoo 360 Netlab in China, the malware embeds itself into Android-based smartphones and smart televisions via the Android Debug Bridge (ADB) on port 5555.

As reported in Ars Technica, port 5555 is usually closed, but ADB opens the port to perform a series of diagnostic tests.

Captured samples have shown that, after infecting a device, the malware will simultaneously mine for Monero whilst initiating a port scan and attempting to replicate itself across new devices.

“This worm borrows code from Mirai’s Syn scanning module for efficiency,” said 360 Netlab in a blog post earlier today. “The worm does not have a command and control server and gains all income through a single wallet address.”

The researchers said the earliest infection can be traced back to January 31. And although the vast majority of impacted devices were found to be in China and South Korea, successful scans for open ports has allowed the malware to propagate around the world.