Android-Based Devices Under Attack By Crypto Mining Botnet

7 mins
13 September 2020, 09:01 GMT+0000
Updated by Ana Alexandre
13 September 2020, 09:01 GMT+0000
In Brief
  • A crypto mining botnet targets Android-based devices like phones, kiosks, tablets, and smart TVs.
  • By default, most Android devices are insecure right out of the package.
  • Mostly the botnet secretly mines Monero, Litecoin and Bitcoin.
  • promo

Botnets, aka “robot network.” The mighty and pervasive malicious code scripts designed by code wizards and wielded by capable threat actors. In the conventional sense, a botnet is a kind of malicious backdoor that has been installed across a large number of infected Internet connected devices. This may allow the attacker to launch Distributed Denial-of-Service (DDoS) attacks, keylog a user’s active sessions and steal personal data from the infected device, distribute spam, and access to other systems on the target’s network, so it can spread further, adding more machines to the robot network for the threat actor to control from a command and control server. For this reason, a botnet is also referred to as a “zombie army.” Jindrich Karasek, a cyber threat researcher at cybersecurity company Trend Micro, had been monitoring a cryptocurrency mining-focused malware activity throughout August, after which he shared his findings with BeInCrypto. After setting up a Honeypot environment, which allowed Karasek to simulate Android connected devices, several attempts were made by an unknown threat actor to break in to presumably install an illicit crypto mining botnet. According to the researcher, some cyber criminals seem to have shifted their focus from breaking into computer systems to gaining access to Android-based devices like phones, kiosks, tablets, and smart TVs. This is no surprise as people’s entire personal lives are confined to their smart devices. The reason behind that move could be that the devices are largely left unprotected because oftentimes antivirus protections remain absent, which leaves them vulnerable. Because of this the malware can attack the devices by searching for open Android Debug Bridge (ADB) ports and has spreading capabilities by taking advantage of Secure Socket Shell (SSH), which is a cryptographic network protocol for providing secure remote login, even over unsecured networks. This is made possible because open ADB ports don’t require authentication keys by default, which is similar to the spreading capabilities of the Satori botnet — also known as “Masuta,” a variant of Mirai botnet — which made headlines last year and in June of this year, when several botnet operators were arrested for infecting hundreds of thousands of vulnerable wireless routers and other Internet of Things (IoT) connected devices. 

A versatile cryptojacking malware on the move

Cryptojacking malware has been on the scene for years. It finds a way to break into people’s network devices, buries itself on the system, and then begins stealing resources and of course, collects crypto through illicit means. During the first six months of 2019, cybercriminals reportedly performed 52.7 million cryptojacking attacks. Karasek expounded regarding one crypto mining botnet in particular, explaining that it attempts to break into various IoT and mobile chip architectures such as ARM architectures, x86, m68k, mips, msp, ppc, and sh4. According to the researcher the threat actor’s IP address was scanning the internet for open ADB ports from Android devices facing the Internet. As with all the miners, it employs an evasion technique that decreases the computational power of the Android device, reconfiguring system resources in order to function more efficiently and help ensure its own existence by remaining as inconspicuous as possible. He elaborated on the way the bot would be able to effectively infect Android users, clarifying that the security of Android devices typically is not set up in such a way that could allow a threat actor to jump from device to device over the network. However, the ideal spreading method would be a public wireless access point. Karasek continued:
“Imagine an airport, huge conference room or shopping mall. They might have plenty of Android-based displays, TVs, [and other devices] connected over the network for better administration. Or older Android devices, recklessly connected to the network without any protection. That’s the case.” 
As the narrative delves deeper, Karasek noted that the botnet source code was written very simple and even generically, meaning that it bears no unique characteristics which often appear by code writers who develop a kind of unique style of their own, much in the same way that literature written by famous authors resonate with a certain personality that is unique to their individual writing style. Karasek said:
“Some of its logic has been seen with the Outlaw group, but in fact they might as well share the code for the use by script kiddies. Attacks like this one are with high levels of confidence in cybercriminal activity, rather than APT-related activity. Mostly they were after Monero, Litecoin and Bitcoin.”
The botnet activity is not country specific, according to Karasek. “My experience-backed estimate is that the gain is not more than thousands of dollars. Mining like this is not much effective anymore. Yet enough to support a small group of operators, but not enough to generate profit for a large organisation,” he concluded. Monero (XMR) made its way into headlines earlier this year, thanks in part due to the onset of a new cryptojacking botnet dubbed “Prometei” by researchers working at the Cisco Talos. In 2018, a crypto miner botnet known as Smoninru broke into half a million computing devices, which took command of the devices and forced them to mine close to 9,000 Monero coins. The owners of the devices were not aware that their devices had been compromised. As of 2019, Monero was the preferred cryptocurrency among cybercriminals in underground economies, according to a study published by academic researchers in Spain and the United Kingdom. At the time, over 4% of all XMR in circulation was mined by botnets and cybercriminal operations, with $57 million worth of XMR cashed out by criminals.

Supercomputers are also an attractive target

Smartphones, tablets, smart TVs and personal computers aren’t the only devices threat actors are scanning for to carry their cryptojacking programs. After all, if speed is essential in crypto mining, then the computers with the most power are an obvious choice target.  Nowadays it shouldn’t come as a surprise that threat actors are targeting supercomputers, which supply the fastest calculations on earth. In the conventional sense, supercomputers are normally used to perform scientific calculations thousands of times faster than traditional PCs. Thus, supercomputers are quite obviously an ideal target in the mind of an illicit crypto miner, looking to benefit from their extreme computing power. For example, the performance speed of a supercomputer is usually measured in floating-point operations per second, called “FLOPS,” as opposed to a million instructions per second. To put this into perspective, take for example the fastest supercomputer in the world, known as The Titan, the Cray Titan supercomputer at the Tennessee-based Oak Ridge National Laboratory, which is able to perform 27,000 trillion calculations per second — that’s a theoretical top speed of 27 petaflops. As reported, victims in the United States, Canada, China, parts of Europe, the U.K., Germany and Spain appear to have been the targets in a recent string of crypto mining botnet attacks against high-performance computing labs. Security experts examining the intrusions said that all of these incidents seem to have involved the threat actors using stolen SSH credentials taken from authorized users, which can include researchers at universities and their colleagues.  The researchers performed tests on their systems to determine if they could detect the malware by comparing a known, benign code to a malicious Bitcoin mining script. In turn, they were able to determine that their systems could identify the malicious code without delay, which proved more reliable than using conventional tests. The intrusions into the supercomputers caused them to have to be shut down so the attacks could be investigated. Taking the supercomputers offline allows forensic investigators to isolate the malicious code, effectively cutting off the threat actor from being able to send commands to the infected computers or erase evidence of the intrusion. When the facts are laid bare, it is understandable to assume that users and incident responders are losing the fight against these bad actors. However, nothing could be further from the truth. Cyber threat responders are fighting back with counter weapons of their own. For example, last month, computer scientists at the Los Alamos National Laboratory were able to design a new state-of-the-art artificial intelligence (AI) system that has the capability to possibly identify malware aimed at penetrating supercomputers to mine for cryptocurrency. Gopinath Chennupati, a researcher at the Los Alamos National Laboratory, said:
“Based on recent computer break-ins in Europe and elsewhere, this type of software watchdog will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources. Our deep learning artificial intelligence model is designed to detect the abusive use of supercomputers specifically for the purpose of cryptocurrency mining.”

Finding new ways to both attack and protect

Opinions are divided as to how secure Android-based devices are. Billions of people use Android smartphones or tablets, with many older phone models which aren’t upgradable with the latest firmware or with the latest security patches and updates, and that doesn’t account for the volume of Android users who by preference delay mandatory updates, which exposes their devices to possible attacks. Between personal photos, messages, saved passwords and electronic wallets — which have become essential items allowing users to interact socially and economically — when an unknown threat actor breaks in and gains access to this kind of “digital blueprint,” which defines our personal space, it is felt as the ultimate violation. Add the theft of an individual’s hard earned wages to the mix, and the effects are catastrophic on a personal level. On the other hand, even if  bad actors are proliferating and discovering new ways to take advantage of users and their smart devices or university supercomputers for that matter, security researchers are there, developing and implementing new innovations set to help both users and the industry gain the upper hand in this close battle between cybercriminals and the interconnected world in which we live.


BeInCrypto strives to provide accurate and up-to-date information, but it will not be responsible for any missing facts or inaccurate information. You comply and understand that you should use any of this information at your own risk. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.