Hide and Seek IoT Botnet Learns New Tricks: Uses ADB over Internet to Exploit Thousands of Android Devices
(Sep 26, 2018)
Bitdefender researchers have discovered that the threat actors behind the Android-targeting Internet of Things (IoT) botnet, “Hide and Seek,” which was first discovered in early 2018, have added new updates. New Hide and Seek samples were found to have a new feature in which it can exploit the Android Debug Bridge (ADB), a command line tool that can be used to communicate with a connected Android device. Researchers note that ADB is typically disabled by default, there are some Android devices that are shipped with the feature enabled. Hide and Seek abuses this feature, which can leave a potential access point to internet-connected devices, to target and infect devices. As of this writing, the Hide and Seek malware is primarily targeting devices in Taiwan, Korea, China, the U.S., and Russia. Researchers believe that this new functionality could allow the botnet to infect another 40,000 devices in addition to the 90,000 Hide and Seek infected in the first few days it was active.
Recommendation: This botnet takes advantage of internet-connected devices which have been misconfigured, or have ADB enabled which can leave the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.