New Matryosh botnet targeting Android devices

February 5, 2021

Netlab, the networking security division of Chinese security firm Qihoo 360, said it had discovered a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet, according to a ZDNet report.

The botnet, Matryosh, is going after Android devices that have left their ADB debug interface exposed on the internet. Netlab says Matryosh is a ADB-targeting botnet, using the Tor network to hide its command and control servers. The encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, "like Russian nesting dolls," why is why Netlab named it Matryosh.

Commenting on the news, Burak Agca, Engineer at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, “The key feature of this attack is the exploitation of ADB, a long standing Android feature that’s meant to provide developers a simple method to communicate with, and remotely control devices. ADB allows anyone to connect to a device, install apps and execute commands, without authentication.

Agca adds, "This type of attack is not necessarily new with similar port5555 botnet attacks designed to target mobile cryptocurrency wallets going back to 2018. Since Android 9 and the introduction of Android Enterprise, Google has greatly improved the device management capabilities provided by mobile device management providers to limit against these types of attacks. Mobile threat defense plugs the gap where there is a requirement for users to have access to system level features and options.

"Today, modern admins can block the use of ADB on corporately managed devices but not across unmanaged states where bring your own device policies exist. Without mobile threat defense software installed and running on personally enabled devices, corporate IT lacks visibility as to whether this feature has been enabled, and a method by which to warn users and protect access to data. Without mobile threat defense software installed and running, there is no way to detect if malicious payloads have been pushed to the device.

"Mobile threat defense solutions allow organization to mitigate against the risk posed by this threat across their managed and BYOD mobile fleets by calling out if ADB is turned on and if the device has met with a malicious payload. Where mobile device management might simply enforce the block of a specific device setting such as ADB. Mobile Threat defense would detect and expose admins to a pattern of alerts that would indicate a DDoS botnet attack.

"Mobile EDR will become critical in uncovering this kind of attack and underlying threat actor network.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

This webinar will cover additional, and often overlooked, security risks and mitigation strategies for cannabis businesses, including vaults and storage, guards and transportation.

Poll

Business Travel Security

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

New Matryosh botnet targeting Android devices

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

New Matryosh botnet targeting Android devices

Related Articles

Related Products

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.