A new Monero-mining bot sprang up several days ago and, in just a few days, has created a botnet consisting of over 7,000 Android devices, most of which are located in China (39%) and Korea (39%).
The rise of the botnet has been flagged by researchers with Qihoo 360’s Netlab, who analyzed the mining malware and discovered that it has worm-like spreading capabilities.
Once ADB.miner – as they’ve dubbed the threat – compromises a device, it scans the local network for devices that have Internet port 5555 open and attempts to copy itself on them and conscript them into the botnet. But how those initial devices get infected is still unclear.
When scanning for port 5555, the malware is looking for an enabled ADB (Android Debug Bridge) interface. The researchers have ruled out the possibility that the malware enables it remotely, but still have no idea how and when this port was opened. (The port is disabled by default when the devices are shipped.)
The researchers initially said that most of the compromised devices are smart phones and smart TVs running on Android. Later they noted that “part of [the infected devices] are TV boxes, but other devices are yet to be determined.”
Finally, the malware’s code structure is similar to Mirai’s, and it uses Mirai’s SYN scan module to accelerate its scanning.
ADB.miner has a way to ensure its persistence on the infected devices and mines Monero through an APK file that uses webview to load a local HTML page that contains a Coinhive mining script.
The mining is set up through two mining pools – pool.monero.hashvault.pro:5555 and pool.minexmr.com:7777 – but the proceeds are set to be deposited in the same Monero wallet address.
So far, from one of these pools, the botnet has mined for its master less than 0.065 XMR (approx. $12.5). So, unless the botnet gets much bigger or runs for a long, long time, the earnings will be meager.
For the moment, the number of infected devices has stabilized at 7,000.