I was reading this report this morning and I must confess that I was not surprised. Long story short, many devices out there running Android have ADB actively listening on port 5555, essentially leaving those devices out there exposed with a nice and convenient sudo backdoor.

Android’s Debugging Bridge is a tool that allows communicating with a device, execute commands and, essentially, fully control the device with a sudo shell-like terminal. It is not authenticated or secured, but in order to use it, one must have physical (USB connection) to the device and manually toggle Debug Mode on the phone. This makes this backdoor on an Android device at least hard to access by an adversary. However, it has been discovered that many devices out there allow access to ADB via the network simply by connecting to port 5555.

It is not surprising that, as a result, there’s been a massive spike in port-scanning of port 5555 recently. And so far researchers discovered already a malware/botnet that exploits this to mine cryptocurrencies on Android devices.

1_x5IpPUs3qt6r23yE3jF0BQ

So far it’s a botnet mining bitcoin, but the worst case scenario of a sudo backdoor on an Android device is pretty bad. It will be interesting to learn more about what types of devices this is affecting. According to the report, they have found “everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.

ADB open listening to port 5555, what could possibly go wrong?

Advertisements