Trend Micro, the cybersecurity and defense firm recently detected a new crypto mining malware affecting Android devices. This malware is affecting multiple Android phones due to the ADB developer function enabled by default, as a means to debug apps.

ADB ports, once installed it will spread to any system via SSH connection. The botnet takes advantage of the lack of authentication needed to get into the device. Infiltration into the Android device via this botnet begins with this IP address: 45.67.14.179. Once the address arrives through the ADB, it uses a command shell to update the directory and then determines if it is a honeypot. The malware then downloads three different miners and then decides which miner is best suits the victim.

It depends on the victim’s manufacturer, architecture, processor type, and hardware on their Android phone. The bot then issues the command “chmod 777 a.sh” to change the permission settings of the payload, allowing it to execute. Finally, when “a.sh” is executed, it is removed using the command “rm -rf a.sh*” to remove its traces. The three miners that can be used for this attack are:

To optimize the mining activity, the script also enhances the victim’s memory by enabling HugePages. It will help the system support memory pages that are greater than its default size.

This crypto mining malware has spread to 21 different countries but has the most dominant presence in South Korea. Crypto mining malware has time and again made its presence felt. Recently, attackers cloned a crypto trading platform to distribute malware payloads. Another instance of crypto mining malware is the newly discovered crypto jacking malware BlackSquid. Apart from this, there was another case where crypto malware Nanshou​ Campaign targetted firms running under the healthcare, telecoms, media, and IT sectors.