A new network worm has appeared on Android devices, which it exploits mode Android Debug Bridge (ADB) of the operating system - a function that is activated by default by phone manufacturers.
The worm was uncovered in one blog post, by security researcher Kevin Beaumont, who wrote that ADB is completely unprotected and thousands of Android devices connected to the Internet are currently exposed to this vulnerability.
How to exploit it?
Hardware manufacturers release their products with Android Debug Bridge enabled by default and the service connects to the TCP 5555 port through which one can connect to a device over the Internet.
"However, in order to be activated - theoretically - one should log in with a USB device and activate Debug Bridge first," says Kevin.
Since ADB is a troubleshooter, it allows the user to access several sensitive tools, including a Unix shell. Taking advantage of this feature, a cryptocurrency miner worm, called ADB.Miner worm, was spread on various devices in February. The worm can find new devices to offend by using the 5555 port.
The risks at stake
According to Kevin, there are thousands of Android devices that are still exposed. Anyone who logs on to an ADB-capable device can execute remote commands.
"This is particularly worrying as it allows anyone - without a password - to get root access remotely from these devices and then install them in hidden software and perform malicious actions.
ADB.Miner is still active
The ADB.Miner worm, first introduced in February by Qihoo 360 Netlab, is still active and the scan activity on 5555 has not yet stopped. Millions of scans were recorded only in the last month.
Kevin advises Android device owners to immediately disable the ADB interface. "This problem has nothing to do with the Android Debug Bridge itself," said Kevin. "ADB is not designed to operate in this way."
He also added that vendors should not have Debug Bridge-enabled products as this leads to the creation of Root Bridge - a situation where anyone can abuse the devices.