New Android crypto-miner uses Android Debugging Tool to spread further

By

SonicWall Threats Research team received reports of yet another Android crypto-miner spreading in the wild. Reports suggest this malware comes with worm-like propagation capabilities making it more dangerous compared to the usual crypto-miners that are rising in numbers.

We were able to identify a number of different components belonging to this threat, we will continue to update this post with more information as things get clearer.

SSS

One of the components is a file named sss. This contains instructions which begin the execution of droidbot (another important component):

This file contains references to other reported components, these have been stored in the tmp directory on the infected device:

Droidbot

This component of the threat performs two functions:

  • It tries to find other devices that can be used as targets to spread this threat further
  • It activates the mining component of this threat on the infected device

Network propagation

As mentioned above this threat tries to spread to other android devices like a worm. To fulfill that, the component droidbot contains commands that search for devices connected to the infected device which may have USB debugging enabled. As the name suggests this feature allows an Android user to connect with the device via Android Debug Bridge (ADB). This is generally used to run commands on the device, for pushing and pulling files from the device via command line or general debugging.

However ADB is not enabled by default as a security measure. To do so a number of steps are needed (which will not be covered in this blog) so the likelihood of this threat spreading via its current means is not extremely high.

But if the infected device manages to find other devices which may have adb ON, it tries to push some files via port 5555 using adb. Following are few hardcoded commands that do the job:

Xmrig32 and Xmrig64

These Monero cryptocurrency miners are dropped by this threat on the device in the tmp folder:

The mining apk

In addition to the miners mentioned above, droidbot drops and executes a crypto-miner apk on the infected device with package name – com.android.good.miner:

This sample contains an html page in its assets folder with mining script code in it, this is the payload of this malicious apk. We have covered a similar Android crypto-miner threat in the past.

The html page contains a mining script that is opened as part of a webview once the app loads on the device:

Configuration file

The file config.json contains configuration which is used before the mining work starts on the device. This file mentions two mining pools:

  • pool.monero.hashvault.pro:5555
  • pool.minexmr.com:7777

The wallet address is:

  • 44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr

Based on the stats on minexmr.com the hash rate can be seen for the last 10 days. As evident this threat started to spread around February 4 and its activity has been rising since then reaching its peak today, February 13:

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.ADB.XMRG (Trojan)
  • GAV: AndroidOS.ADBM.DB (Trojan)
  • GAV: AndroidOS.ADBM (Trojan)

Following are the samples analysed in this blog along with their MD5’s:

  • bc84e86f8090f935e0f1fc04b04455c6 – bot.dat
  • cd37d59f2aac9101715b28f2b28b7417 – botsuinit_1_1.txt
  • 27c3e74b6ddf175c3827900fe06d63b3 – config.json
  • 412874e10fe6d7295ad7eb210da352a1 – droidbot
  • 914082a04d6db5084a963e9f70fb4276 – droidbot.apk
  • 9a10ba1d64a02ee308cd6479959d2db2 – nohup
  • 6a22c94d6e2a18acf2377c994d0186af – sss
  • ac344c3accbbc4ee14db0e18f81c2c0d – xmrig32
  • cc7775f1682d12ba4edb161824e5a0e4 – xmrig64
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.