Threat Watch

Matryosh Botnet Spreading Through Android Devices

Security researchers at the China-based Netlab 360 security firm have discovered a new botnet re-using the Mirai botnet framework. Dubbed Matryosh, the botnet has its own unique characteristics and spreads through Android devices that expose the Android Debug Bridge (ADB) feature to the Internet. Taking after the source that it is based on, the main purpose of Matryosh is to conduct Distributed Denial-of-Service (DDoS) attacks. Analysis by Netlab shows that the payload used in the attacks does not contain any code for network scanning or exploitation. Though simple in nature, the process for finding a command and control (C2) server involved decrypting a hard-coded hostname to perform a DNS TXT record request, revealing a Tor C2 and proxy. All communication to the C2 is done through this proxy.


While most Android devices ship with ADB disabled by default, some IoT devices may have this enabled by default, or it could be enabled by a user. To tell if ADB is enabled and listening on the network, open the settings menu on any Android device. If the “Developer Options” menu item cannot be found, ADB is disabled. Some devices may place the Developer Options inside of the System options menu rather than the main options menu. If Developer Options is visible, open it and look for options labeled similar to “Android Debugging” or “ADB Debugging.” While these options themselves are not necessarily harmful, another debugging option is to enable debugging over the network. For anyone not using these features for a specific reason, they can and should be disabled. By default, ADB over the network also exposes port 5555. Network administrators in corporate environments that are seeing traffic to this port should ensure that traffic from the Internet is not being permitted by the firewall.