New Android crypto-miner uses Android Debugging Tool to spread further
SonicWall Threats Research team received reports of yet another Android crypto-miner spreading in the wild. Reports suggest this malware comes with worm-like propagation capabilities making it more dangerous compared to the usual crypto-miners that are rising in numbers.
We were able to identify a number of different components belonging to this threat, we will continue to update this post with more information as things get clearer.
SSS
One of the components is a file named sss. This contains instructions which begin the execution of droidbot (another important component):
This file contains references to other reported components, these have been stored in the tmp directory on the infected device:
Droidbot
This component of the threat performs two functions:
- It tries to find other devices that can be used as targets to spread this threat further
- It activates the mining component of this threat on the infected device
Network propagation
As mentioned above this threat tries to spread to other android devices like a worm. To fulfill that, the component droidbot contains commands that search for devices connected to the infected device which may have USB debugging enabled. As the name suggests this feature allows an Android user to connect with the device via Android Debug Bridge (ADB). This is generally used to run commands on the device, for pushing and pulling files from the device via command line or general debugging.
However ADB is not enabled by default as a security measure. To do so a number of steps are needed (which will not be covered in this blog) so the likelihood of this threat spreading via its current means is not extremely high.
But if the infected device manages to find other devices which may have adb ON, it tries to push some files via port 5555 using adb. Following are few hardcoded commands that do the job:
Xmrig32 and Xmrig64
These Monero cryptocurrency miners are dropped by this threat on the device in the tmp folder:
The mining apk
In addition to the miners mentioned above, droidbot drops and executes a crypto-miner apk on the infected device with package name – com.android.good.miner:
This sample contains an html page in its assets folder with mining script code in it, this is the payload of this malicious apk. We have covered a similar Android crypto-miner threat in the past.
The html page contains a mining script that is opened as part of a webview once the app loads on the device:
Configuration file
The file config.json contains configuration which is used before the mining work starts on the device. This file mentions two mining pools:
- pool.monero.hashvault.pro:5555
- pool.minexmr.com:7777
The wallet address is:
- 44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr
Based on the stats on minexmr.com the hash rate can be seen for the last 10 days. As evident this threat started to spread around February 4 and its activity has been rising since then reaching its peak today, February 13:
Sonicwall Capture Labs provides protection against this threat with the following signatures:
- GAV: AndroidOS.ADB.XMRG (Trojan)
- GAV: AndroidOS.ADBM.DB (Trojan)
- GAV: AndroidOS.ADBM (Trojan)
Following are the samples analysed in this blog along with their MD5’s:
- bc84e86f8090f935e0f1fc04b04455c6 – bot.dat
- cd37d59f2aac9101715b28f2b28b7417 – botsuinit_1_1.txt
- 27c3e74b6ddf175c3827900fe06d63b3 – config.json
- 412874e10fe6d7295ad7eb210da352a1 – droidbot
- 914082a04d6db5084a963e9f70fb4276 – droidbot.apk
- 9a10ba1d64a02ee308cd6479959d2db2 – nohup
- 6a22c94d6e2a18acf2377c994d0186af – sss
- ac344c3accbbc4ee14db0e18f81c2c0d – xmrig32
- cc7775f1682d12ba4edb161824e5a0e4 – xmrig64
