Botnet targets set-top boxes using Android OS

Not for the first time, cybercriminals are targeting an important part of Android’s core software called the Android Debug Bridge (ADB).

Normally the only people who pay any attention to the ADB are developers and device makers who use it as a terminal for debugging purposes.

It’s supposed to be deactivated after the debugging is done. Unfortunately, it seems that ADB is being left active on some set-top boxes (STBs) and TVs built around a stripped-down version of Android called the Android OS (as distinct from the flavour of Android that runs smartphones, the Wear OS used by Android watches, and unrelated Chrome OS used by Google’s Chromecast and assorted Chromebooks).

According to cybersecurity company WootCloud, a new botnet called Ares has noticed the misconfiguration and is trying to exploit it to infect Android OS set-top boxes with bot malware while scanning for other vulnerable boxes to target for infection.

It’s not hard to understand why an active ADB might invite unwanted attention – it can be used to control the device and install software after bringing up a remote command shell on port 5555, for instance.

While it appears that some exposed ADB interfaces are protected with passwords, Ares comes equipped with a password-cracking component to beat these.

IoT backdoor

Another way of understanding exposed ADB is to see it as the latest instalment of the growing security headache of the Internet of Things.

As long as these devices turn on and off when required, everything looks good and nobody need pay much attention to what might be going on behind the scenes.

The immediate issue is how Android OS device owners can tell whether their boxes are affected and what they can do about it if they are.

What to do

WootCloud’s advisory only names models from three set-top box makers – HiSilicon, Cubetek, and QezyMedia – but warns that other makers might also be affected. And it’s not only set-top boxes that are at risk:

Looking at threat and inherent capabilities, it seems that the attackers will be targeting more android-based devices such as phones.

The obvious defence is to manually disable the ADB interface but that’s not always possible – and when it is, it’s not always easy.

You could try blocking port 5555 using your internet router’s firewall, if you have one and know how to configure it. However, ADB isn’t the only software that uses port 5555 so be aware this might stop other services from working too.

The most sensible course of action for most users will be to wait for vendor updates.

While they may be concerning, ADB-targeting botnets certainly aren’t new – almost a year ago, researchers spotted two, Fbot and Trinity, attempting to exploit the same weakness.

Earlier that summer, researchers spotted thousands of vulnerable devices and a big chunk of traffic hitting port 5555.