New Matryosh botnet targeting Android devices

February 5, 2021

Netlab, the networking security division of Chinese security firm Qihoo 360, said it had discovered a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet, according to a ZDNet report.

The botnet, Matryosh, is going after Android devices that have left their ADB debug interface exposed on the internet. Netlab says Matryosh is a ADB-targeting botnet, using the Tor network to hide its command and control servers. The encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, "like Russian nesting dolls," why is why Netlab named it Matryosh.

Commenting on the news, Burak Agca, Engineer at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, “The key feature of this attack is the exploitation of ADB, a long standing Android feature that’s meant to provide developers a simple method to communicate with, and remotely control devices. ADB allows anyone to connect to a device, install apps and execute commands, without authentication.

Agca adds, "This type of attack is not necessarily new with similar port5555 botnet attacks designed to target mobile cryptocurrency wallets going back to 2018. Since Android 9 and the introduction of Android Enterprise, Google has greatly improved the device management capabilities provided by mobile device management providers to limit against these types of attacks. Mobile threat defense plugs the gap where there is a requirement for users to have access to system level features and options.

"Today, modern admins can block the use of ADB on corporately managed devices but not across unmanaged states where bring your own device policies exist. Without mobile threat defense software installed and running on personally enabled devices, corporate IT lacks visibility as to whether this feature has been enabled, and a method by which to warn users and protect access to data. Without mobile threat defense software installed and running, there is no way to detect if malicious payloads have been pushed to the device.

"Mobile threat defense solutions allow organization to mitigate against the risk posed by this threat across their managed and BYOD mobile fleets by calling out if ADB is turned on and if the device has met with a malicious payload. Where mobile device management might simply enforce the block of a specific device setting such as ADB. Mobile Threat defense would detect and expose admins to a pattern of alerts that would indicate a DDoS botnet attack.

"Mobile EDR will become critical in uncovering this kind of attack and underlying threat actor network.”

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

New Matryosh botnet targeting Android devices

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

New Matryosh botnet targeting Android devices

Related Articles

Related Products

Related Events

The latest news and information

Content written for business-minded executives who manage enterprise risk and security