British security researcher Kevin Beaumont published a blog post about the issue, pointing out that ADB was completely unauthenticated.
He said this meant that anybody could connect to a device running ADB to execute commands. "However, to enable it — in theory — you have to physically connect to a device using USB and first enable the Debug Bridge," he said.
Numerous vendors had been shipping Android devices with ADB enabled, Beaumont said, adding that the service listened on TCP port 5555 and would allow everyone to connect to the device over the Internet.
He said it also appeared that some people were rooting their devices insecurely.
"During research... we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea," Beaumont said. "As an example, a specific Android TV device was also found to ship in this condition.
"This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’ — the administrator mode — and then silently install software and execute malicious functions.
"In theory root shouldn’t be available in non-development builds, but there’s an apparent bypass on some devices – adb shell 'su -c command'."
He said the issues with ADB were not intrinsic to the feature, just that it was not designed to be deployed in this way.
"...using data from Qihoo 360’s Netlab — which features extracts from Netflow data in ISPs and transit providers — we can see massive amounts of port 5555 traffic arriving live," Beaumont said. Though 360 had issued a warning on 4 February. the problem had continued to grow, with Asia being the region worst affected.
Of the worm, he said, it was "spread using a modified version of Mirai’s code bolted onto a cryptominer. There is no central C2 server; in this case it is spreading peer-to-peer via port 5555. There are, however, bugs in the code, and it only works on certain types of devices".
Devices infected by the worm were being used to mine cryptocurrency, Beaumont said, advising vendors not to ship devices with ADB enabled by default.
"It places the customers in harm’s way. Vendors who have done this should issue product updates to remediate the issue, and if automatic updates are not an option they should contact customers to ask them to update their software," he added.