Posted on November 3, 2018 at 1:20 PM

Android Devices Remain Unsecured, While Two Botnets Fight For Dominance

According to new reports, thousands of Android devices still remain unsecured and vulnerable to malicious attacks. While this situation is not very encouraging, it was made worse by the fact that two large botnets — Fbot and Trinity — entered a turf war, trying to establish dominance over these devices.

Android devices’ secret vulnerability

The battle between the botnets has been ongoing for over a month, according to reports published by cybersecurity companies. The turf war was caused by the fact that both of these botnets have the same targets, which makes them a direct competition to one another.

According to researchers, Android devices belonging to unsuspecting users have a vulnerable port (port 5555). This is the port that hosts one of the Android features, called ADB, or Android Debug Bridge. While all Android devices have this feature, most of them have it disabled by default.

Even so, there are still thousands of devices around the world that have the feature active, which means that they remain vulnerable to attack. The situation is even worse due to the fact that the ADB interface does not require a password. It is completely defenseless when enabled, and all it takes for the botnet to infect it is for the device to have an internet connection. When these conditions are met, the ADB feature represents a wide-open backdoor.

Trinity botnet’s origins

The number of vulnerable devices varies, but estimates say that there are at least 30,000-35,000 of them during the day. As soon as cybercriminals noticed them, which is believed to have happened in February 2018, they created a botnet created on a malware strain called ADB.Miner. The botnet quickly managed to infect around 7,500 Android devices, mostly TV top boxes and TVs themselves.

For a while, the ADB.Miner simply used these devices for mining crypto. It is believed that they managed to generate a decent profit by doing so. However, over time, the malware strain evolved and became a Trinity botnet. Trinity was then spotted in September of this year by Qihoo 360 Netlab. After that, it was also noticed in October by Ixia.

These reports noticed that Trinity uses the same method to infect devices as ADB.Miner — attacking them via exposed ADB interface. As soon as it discovers an unsecured device, it infiltrates it, plants the crypto-mining malware, and the device becomes a part of the botnet.

This is when Fbot appeared

Considering the fact that Trinity (and ADB.Miner before it) managed to use this method successfully for more than half a year, the competition started appearing. Apart from spotting Trinity in September, researchers also caught a glimpse of another botnet that was searching for devices that had ADB port open. This was Fbot.

One thing to note regarding Fbot is the fact that it was never observed mining digital currencies, at least so far. According to reports, Fbot’s code shares a lot of similarities with an IoT DDoS malware called Satori. So far, it was only seen trying to spread to as many devices as possible, and eliminate Trinity’s malware from them. It can do this due to a special code that allows it to search through every infected device until it locates Trinity’s file name. After that, it removes it and claims the device for itself.

As mentioned, the purpose of this botnet is still unclear. However, whatever it may be, the fact is that Android users are the victims. This entire war for their devices takes place without them ever knowing anything about it, which is why most of these devices still remain unsecured. To secure their devices, Android users can follow the instructions provided here.