Cybersecurity firm Trend Micro finds crypto malware on Android software

The “multinational cyber security and defense company” from Tokyo, Trend Micro, recently reported on a cryptocurrency mining bot that’s infecting Android devices, reports CoinDesk.

Security threats are spread all over

According to Trend Micro, the malware is in 21 different countries. South Korea is where they’ve seen it the most.

Essentially, the bot goes after Android Debug Bridge (ADB) ports. This is terrible considering that the system is used to fix broken applications and other issues on an Android phone.

If default settings are in place, these ports don’t need authentication to open. So, it gets in through these, and can then spread to any device that has ever connected via an SSH connection.

The publication reports that researchers have commented on the process a little further:

“Being a known device means the two systems can communicate with each other without any further authentication after the initial key exchange, each system considers the other as safe. The presence of a spreading mechanism may mean that this malware can abuse the widely used process of making SSH connections.”

From there, the attack takes advantage of the command shell software to change ADB execution permissions. From there, it uses a command called “wget” to take from three miners. It picks from the best of those, and then uses an “chmod 777 a.sh” command to change more permissions.

Then, it hides itself from the host with another command, “rm -rf a.sh*” and deletes the download. Moreover, it hides its past and future trail with this command as well.

The team found three miners sent into systems, all of which had the same URL:

“http://198[.]98[.]51[.]104:282/x86/bash

http://198[.]98[.]51[.]104:282/arm/bash

http://198[.]98[.]51[.]104:282/aarch64/bash”

It then runs a few more optimizations to make the attack run even faster.

Overall, these attacks are becoming more and more common. In fact, Trend Micro found another attack on ADB systems last year, which they called the Satoshi Variant. It seems that users may want to start buying cryptocurrency instead of mining to stay far away from this threat.