Following the discovery of the first IoT botnet Hide and Seek (HNS, hide and seek) in January this year, Bitdefender Labs recently reported that it had discovered new variants. Using the vulnerability in the Android Debug Bridge (ADB) feature for Android developer debugging, this variant infects Android devices via a WiFi network connection, making it a member of the botnet.
Although not all Android has ADB enabled by default, some Android phone manufacturers will automatically enable it by default, and it can be easily attacked by using the WiFi ADB remote connection via port 5555. After connecting to the Android system that activates ADB by default, the attacker is allowed to gain shell access at the root level and can run and install anything on the infected device.
Hide and Seek were first discovered by Bitdefender on January 24 this year, and the number of infected devices was about 14,000. However, on January 26, the number of infected devices expanded rapidly, more than 32,000 IoT devices were infected, and they remained on infected devices after the device was restarted. This kind of Internet of Things malware will, in some cases, copy itself to /etc/init.d/, a folder that places daemon scripts on Linux-based operating systems, just like routers and IoT devices. Same as the daemon script. Thus, the device’s operating system will automatically start the process of malware after the reboot.
Source, Image: BitDefender