Netlab, the networking security division of Chinese security firm Qihoo 360, said it had discovered a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet, according to a ZDNet report.
The botnet, Matryosh, is going after Android devices that have left their ADB debug interface exposed on the internet. Netlab says Matryosh is a ADB-targeting botnet, using the Tor network to hide its command and control servers. The encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, "like Russian nesting dolls," why is why Netlab named it Matryosh.
Commenting on the news, Burak Agca, Engineer at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, “The key feature of this attack is the exploitation of ADB, a long standing Android feature that’s meant to provide developers a simple method to communicate with, and remotely control devices. ADB allows anyone to connect to a device, install apps and execute commands, without authentication.
Agca adds, "This type of attack is not necessarily new with similar port5555 botnet attacks designed to target mobile cryptocurrency wallets going back to 2018. Since Android 9 and the introduction of Android Enterprise, Google has greatly improved the device management capabilities provided by mobile device management providers to limit against these types of attacks. Mobile threat defense plugs the gap where there is a requirement for users to have access to system level features and options.
"Today, modern admins can block the use of ADB on corporately managed devices but not across unmanaged states where bring your own device policies exist. Without mobile threat defense software installed and running on personally enabled devices, corporate IT lacks visibility as to whether this feature has been enabled, and a method by which to warn users and protect access to data. Without mobile threat defense software installed and running, there is no way to detect if malicious payloads have been pushed to the device.
"Mobile threat defense solutions allow organization to mitigate against the risk posed by this threat across their managed and BYOD mobile fleets by calling out if ADB is turned on and if the device has met with a malicious payload. Where mobile device management might simply enforce the block of a specific device setting such as ADB. Mobile Threat defense would detect and expose admins to a pattern of alerts that would indicate a DDoS botnet attack.
"Mobile EDR will become critical in uncovering this kind of attack and underlying threat actor network.”