ADB.Miner - What's Up With All This Traffic on Port 5555?

Over the past week, there have been several articles about a new, rapidly growing botnet called ADB.Miner. The first public mention of it seems to be in this blog post from Netlab 360. The botnet itself is geared toward cryptocurrency mining, specifically targeting Android devices with ADB enabled. Android, by default does not have ADB turned on, let alone via wifi, though there are many android ‘Streaming boxes’ available on the internet. These generally come from generic vendors at extremely cheap prices. It’s precisely these type of devices that appear to be the target for ADB.Miner.

What makes ADB.Miner interesting is that it appears to be borrowing code from the Mirai botnet, which may account for its quick spreading. Your firewalls may have noticed a sharp increase in port 5555 traffic over the past week.

Our SOC noticed a large increase in port 5555 traffic this past week as a result of ADB.miner. Looking at the graph below, the aggressiveness of the botnet becomes evident.

As for the sources of infected hosts, the infected hosts are mostly in Asia.

Should I be worried about this?

In an enterprise setting, probably not, unless you have Android devices of dubious origin and port 5555 opened to the internet. (Don’t do this). At home, you can run a port scan against 5555, or manually check your Android devices to see if ADB is enabled. Again, your Android tablet or phone probably does not have this enabled by default. That being said, I still did a manual check on all my devices.

The botnet seems to have significantly slowed growth as of yesterday afternoon, either having compromised all available hosts, or the operators are reacting to the press.

While this instance was not being weaponized, the Threat Team at Baffin Bay Networks suspects that this is just the beginning of things to come in 2018. There are already several Mirai variants out there leveraging different vulnerabilities and tactics. Our SOC is currently tracking a few different clusters of IP addresses that appear to be related to new botnets.

For now, minimize your attack surface, patch early, and patch often.