A Mining Botnet Has Affected 5,000 Android Users in Just 24 Hours

If you have an Android phone, you may want to be extra careful. A malware creator has figured out an all new way to infect devices. It mines digital coins for the attackers using your Android device. It’s quickly taking over as well, as 5,000 users have been affected by this mining botnet within a 24-hour time period.

If you have Internet port 5555 open, it can happen to you, too.

The Takeover


This particular malware is said to have worm-like capabilities. Because of that, it can spread with or without you, according to the Chinese security firm Netlab’s researchers.

Affected Android devices scan networks looking for other Android devices that have port 5555 open. It’s normally a closed port, but the Android Debug Bridge developer tool opens it for diagnostic tests.

Infected Android devices from 2,750 unique IPs scanned Netlab’s laboratory after the botnet became active, and that all happened in just the first 24 hours. This was particularly alarming to the researchers, as they knew it meant that the malware was moving really quickly.

“Overall, we think there is a new and active worm targeting Android systems’ ADB debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours,” wrote the researchers. “Those infected devices are actively trying to spread malicious code.”

The researchers are also trying to be very careful at this point. They don’t want to give out too much information on how this was done, as they’re afraid of other attackers coming along and trying to do the same thing.

The Mining App


It’s not enough for the attackers to just take control of your device. They want to do a certain amount of evil with it as well.

They download an app to the devices that causes them to mine Monero, a digital coin. It’s unknown what effect the mining has on the device, but Monero mining apps have been known to physically damage Android devices.

All this work though in that 24-hour window hasn’t been too beneficial. So far the attackers have only gained about $3 for all their troubles.

What is not known is how exactly the attackers are carrying out this attack since the researchers aren’t publishing all the details. What they did allude to, however, is that it seems to only happen on devices with port 5555 open.

What Can You Do?

Since port 5555 is left open by debugging tools, it’s being suggested that you leave the debugging tools turned off, as that will keep port 5555 closed, as this malware won’t have an access point. And if you have to use Android Debug Bridge, just make sure you turn it off when you’re done.

Were you one of the 5,000 Android users that were infected or are you worried that you could become infected? Add your comments below.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.