Android crypto-mining malware is targeting Amazon devices

by Linas Kiguolis - - 2018-06-14

The “Test” app is found causing crypto mining activity on targeted devices

Crypto-malware is targeting Fire TV devices Cryptocurrency mining malware targeting Amazon Fire TV devices has been spotted by security experts. The worm could have already spread to up to 100,000 devices worldwide

Security researches are warning about a new trend among cyber-criminals. It seems that they are slowly shifting from ransomware to crypto mining malware.^[1] This time, their target is Android gadgets, especially Amazon Fire TV and Fire Stick. Cryptominer, dubbed ADB.miner, has been found on these devices mining digital currency Monero.

ADB.miner is linked to the app called “Test” which spreads together with the package name “com.google.time.timer.” As soon as the malware is installed, it starts mining virtual currency. As a result, the affected machine slows down considerably and turns its normal usage to almost impossible. Additionally, the intense utilization of device's resources causes an obvious increase in electricity bill.

Hackers were able to find the vulnerability due to a powerful developer's feature letting the culprits to communicate with the device and even install applications remotely. Originally, this feature should be turned off, but users who employ third-party apps (mostly for watching pirated videos) have it turned on. Among affected devices there are also the ones that have pre-installed Kodi^[2] – a free open-source application which allows users to manage their media.

Being one of the most influential organizations in the world, Amazon has been actively targeted by phishing scams and malware. Alexa's security breach^[3] proved that Amazon's devices are still susceptible to vulnerabilities and the overall security should be improved.

The miner is related to a modified version of Android

So, how do cyber criminals get a chance to misuse Amazon devices? Most probably, the main issue hides inside the fact that Amazon Fire TV sticks and TV boxes use a modified version of Android – FireOS. No matter that the official version and the modified one are similar, the latter one uses a simplified interface which is supposed to help users turn their usage of the TV and a remote control more comfortable.

Additionally, apps that can be downloaded to the Amazon Fire device do not come from the Play store. By default, users are given access to Amazon AppStore which has a limited amount of applications that can be installed. Thus, many users are looking for more entertainment options elsewhere by using third-party sites. Sadly, these programs may be affected by ADB.Miner worm.

Malware spreads to other devices by using ADB function

ADB.miner acts like a worm, i.e., it can infect all devices connected to the same network. It is still unclear which apps have been injected with this malware, but, as soon as it gets onto the primary device, it can spread itself to other machines on the network using ADB feature.

The only way malware can infiltrate the targeted system is if the Android Debug Bridge function is on. There are two ways it can happen: either the user turns it on or the developer of the device had this function turned on for the customer. Unfortunately, security researcher Kevin Beaumont reported^[4] that multiple firms were shipping tablets and smartphones in that condition.

As it was reported^[5] by Chinese security researchers in NetLab in February 2018, malware has already infected thousands of gadgets in China and South Korea:^[5]

Overall, we think there is a new and active worm targeting android system's adb debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours.

You can detect and remove the worm from your device

To determine whether you are infected with ADB.miner on not, you need to check if you have “Test” app installed on your device. Unfortunately, this sneaky program does not show up in apps section or management settings. Thus, you need to install a file managing app like Total Commander to see if malware is there.

The best way to get rid of crypto-miner is to perform a full factory reset on your device. Before you complete it, you need to switch off all Android devices that could be infected. Once that is done, proceed with the following steps:

On Your Fire device, click Settings
Scroll to the right and pick System
Scroll down and find Reset to Factory Defaults
A warning message will come up – press Reset
Wait till factory reset is complete

As a measure of precaution, you should select Device > Developer options and make sure that ADB debugging and Apps from Unknown Sources features are both set to OFF. This will prevent your device from being infected in the future.

Be careful online and do not download shady applications from questionable sources. After all, crypto mining malware is on the rise, and being infected by it might cost you the well-being of your device, as well as bring a hefty electricity bill.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Hackers ditch ransomware attacks, move to cryptojacking: Symantec. ETCIO. An initiative of The Economic Times.
^ Dion Dassanayake. Kodi WARNING - Security risk alert after popular add-on makes SHOCK claim. Express. British magazine.
^ Julie Splinters. Amazon’s Alexa hacked purposely to demonstrate security flaws. 2-spyware. Cybersecurity news and articles.
^ Kevin Beaumont. Root Bridge — how thousands of internet connected Android devices now have no security, and are being exploited by criminals.. Doublepulsar. Cybersecurity from the trenches of reality.
^ Hui Wang. Early Warning: ADB.Miner A Mining Botnet Utilizing Android ADB Is Now Rapidly Spreading. NetLab. Security firm.