ADB.miner Infected 7400 Android Devices

New hidden XMR miner uses the components of the code of the Mirai botnet
06 February 2018   1763

Qihoo 360 researchers discovered a new botnet ADB.miner. It attacks Android and mines Monero using infected devices. The number of infected devices has already reached almost 7.4 thousand, Bleeping Computer reports.

The first botnet attacks occurred on Saturday, February 3. According to experts, ADB.miner uses the components of the code of the Mirai botnet, which attacked large websites in 2016. Botnet looks for open debug ports, in particular port 5555, which provides access to key functions of the Android system. Penetrating the device, the malicious program forces it to mine the Monero cryptocurrency.

Port 5555
Port 5555

40% of the victims of ADB.miner are in China and 30% in South Korea.

The number of scan [sources] has doubled every 12 [hours]. We will see how big this botnet gets.

Yiming Gong

Director, Network Security Research Lab at Qihoo 360

Researchers emphasize, the danger threatens all devices on the Android OS - from smartphones to smart technology.

At the moment of press, ADB.miner generated around $0.04 worth XMR.

ADB.miner Founds
ADB.miner Founds

It is not the first hidden miner, that mines XMR. Monero attracts hackers due to high anonymity level. In May 2017, researchers at GuardiCore found a BondNet botnet out of 15,000 servers that were used to mine the XMR and bring the operator up to $ 1,000 a day. 

Scammers to Replace MEGA Extension to Steal Crypto

MEGA is a popular file exchange service; scammers were able to replace its official Google Chrom extension
05 September 2018   452

The popular file-sharing service MEGA reported a hacker attack. Attackers managed to replace the official Chromme extension of the service and to collect data on users' crypto-currency wallets.

On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including,,, (for webstore login),,, and HTTP POST requests to other sites, to a server located in Ukraine. Note that credentials were not being exfiltrated.


Thus, attackers could get access to the popular cryptocurrency wallets MyEtherWallet and MyMonero. Also, users' funds on the decentralized IDEX exchange are under the thread too.

Representatives of the file sharing company stressed that the fake extension was replaced by a genuine one four hours after the substitution. And an hour later, Google reacted and removed the extension from the Chrome store. Note that at the time of publication, the MEGA extension for Chrome in the official store is still not available.

Earlier it was reported that users of MyEtherWallet, using the free VPN-plugin Hola, could become victims of a hacker attack.