Security researchers have spotted a new growing botnet over the weekend distributing malware to Android devices and covertly mine cryptocurrency. According to researchers at Qihoo 360 Netlab, the botnet dubbed ADB.Miner targets Android devices – mostly smart TVs, TV top boxes and smartphones - via Internet port 5555.
"Overall, we think there is a new and active worm targeting Android systems' ADB debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours," Netlab researchers wrote in a blog post. "Those infected devices are actively trying to spread malicious code."
This port is used by the operating system's command-line tool Android Debug Bridge which is used for debugging, installing apps and other diagnostic tests.
The "worm-like" ADB.Miner looks for open 5555 ports on vulnerable devices using scanning code from the Mirai botnet, 360 Netlab researcher Hui Wang said. This marks the first time a strain of malware has borrowed code from Mirai to target Android devices, as opposed to IoT or networking devices.
Once infected, the botnot deploys malicious code to secretly mine Monero coins. Netlab researchers said the hackers have not yet cashed out any of their mined Monero so far.
Wang said the botnet has managed to infect over 5,000 devices within just 24 hours and is still rapidly growing. Most of the devices targeted so far are located in China and South Korea.
Researchers have not identified the device models targeted or provided any additional details regarding the ADB vulnerability exploited by the hackers behind this botnet.
This isn't the first time hackers have leveraged massive botnets to mine cryptocurrency, particularly Monero.
Last week, Proofpoint researchers uncovered the Smominru botnet that has been active since May 2017, infected over 526,000 Windows hosts and generated more than $2.45m (£1.73m) worth of Monero coins so far.
In January, Netlab researchers uncovered a Satori variant dubbed Satori.Coin.Robber that targeted computers running the cryptocurrency miner Claymore and replacing wallet addresses with their own to steal mined funds.