14 DAY TRIAL // The Hide and Seek IoT botnet has added a new feature to its arsenal: it is now capable of infecting new Android-based devices via a Wi-Fi connection using an Android Debug Bridge (ADB) security flaw as discovered by Bitdefender Labs.
As reported by Bitdefender Labs, the new Hide and Seek variant is capable of recruiting new bots in the network by exploiting the Android Debug Bridge (ADB) feature used for troubleshooting by Android developers.
Although not all Android devices come with ADB toggled on by default, some Android vendors decide to leave it enabled providing a simple to exploit attack vector using Wi-Fi ADB remote connections through the 5555.
Connecting to an Android system where ADB is enabled by default allows attackers to get shell access as root, giving them the possibility to run and install anything on the compromised device with full admin privileges.
Hide and SeeK can now infect Android devices using insecure Android Debug Bridge (ADB) feature left enabled by vendors
The Hide and Seek IoT botnet was first detected by Bitdefender on January 24 when it was made out of around 14,000 devices, but it quickly doubled its size with the botnet amassing over 32,000 IoT devices on January 26.
At first, the botnet was using Telnet-based credentials dictionary attacks to compromise other IoT devices and increase its numbers, but on April 30 Bitdefender discovered that Hide and Seek gained persistence abilities and support for infecting more IPTV camera models.
The Hide and Seek botnet could very soon add tens of thousands of extra devices to its network given that a quick Shodan search for the Android Debug Bridge product feature on port 5555 results in just over 39,000 potentially exploitable devices.
Even though the threat actors behind Hide and Seek IoT have constantly expanded the malware's capabilities since its discovery in January 2018, there is no information available on the purpose of the botnet.