Posted on August 31, 2019 at 10:07 AM
Ares Attacks: Android Streaming Boxes Targeted by a New Botnet’s Malware
According to recent reports, it appears that a part of Android’s core software is once again targeted by bad actors. This time, the software in question is known as ADB (Android Debug Bridge).
According to a report published by researchers at cybersecurity firm, WootCloud, the software is being targeted by a new botnet known as Ares. Ares is targeting ADB, which is typically only useful for debugging purposes. As such, it is often used by developers and IT experts for managing, troubleshooting, and modifying Android devices.
After the process is completed, the software is supposed to be deactivated, as it is usually not useful to regular end-users. However, it appears that some of the set-top boxes (STBs) — streaming boxes that use the Android system — have left ADB active. The same is true for some TVs which are using a basic version of Android.
Now, it should be noted that this is not the same system that is used on Android smartphones, watches, and alike. The particular system that is being targeted is specifically named ‘Android OS,’ while the one used by Android smartwatches is Wear OS.
Why is this a problem?
The problem with the fact that the devices are being shipped with active ADS lies in the fact that the system appears to be misconfigured. As such, it is vulnerable to attacks such as the ones used by the Ares botnet. The botnet seems to be using a bot malware to infect the devices, and scan for other vulnerable devices at the same time.
Even if only one device is infected — if it happens to be a part of a greater network, the entire network is considered compromised. It is easy to understand why the attackers might be interested in gaining access to active ADBs. After all, they are used for controlling and modifying devices on which they are installed. This also includes the installation of new software.
Researchers have also found that the attackers can use port 5555 for bringing up a remote command shell. With streaming boxes running Android OS being pretty much everywhere, there is no lack of potential targets.
At least three firms are selling vulnerable devices
However, it is also important to note that not all of the Android OS-based streaming boxes are vulnerable to such attacks — only those that have the ADB active after leaving the manufacturer. However, this still includes at least three different brands — QezyMedia, HiSilicon, and Cubetek.
It is also worth mentioning that some of the ADB interfaces are password-protected, although this does not make them safer than those that are fully open. Hackers seem to have expected this type of protection, which is why they armed Ares with a password-hacking component. Researchers believe that any device with enabled ADB is vulnerable, whether it has a password set up or not.
Of course, the passwords in question are still the ones that the manufacturer sets by default, and changing the password manually and putting a new, strong one in its place could be helpful. Hackers are known for using brute strength attacks for trying to break into the devices, and if they can’t guess the password — they won’t be able to get in.
However, with the boxes being another product in the IoT devices sector, it is unlikely that their users are aware of the danger of leaving the default password on their devices. This has been a problem of the IoT sector ever since it came to be. Most IoT device users do not consider the possible implications of leaving the passwords unchanged.
This lack of awareness or concern is what makes the IoT devices so vulnerable, and why hackers often infect them when they are trying to build a new botnet.
How to protect your device?
WootCloud’s report mentioned the three manufacturers mentioned earlier — QezyMedia, HiSilicon, and Cubetek — by name, and advises anyone who may have purchased their product to try manually disabling the ADB interface. However, since this is not always possible (or easy), the company also advises trying to block port 5555 via the internet router’s firewall.
This method also requires a bit of technical knowledge, as the router needs to be configured. This option is also not the best approach as ADB is not the only software that depends on this port for communicating with its environment. The best course of action for the users would be not to use their devices until the companies publish an update that will fix the issue.