New Ares IoT Botnet discovered on Android OS based Set-Top Boxes

WootCloud Inc. uncovers Botnet exploiting insecure configuration and misuse of Android Debug Bridge infrastructure used by a majority of Android based STBs and TVs including ones manufactured by Huawei Corporation


SAN JOSE, Calif., Aug. 28, 2019 (GLOBE NEWSWIRE) -- WootCloud, an innovative device cybersecurity company, today announced that it has identified a new IoT Botnet named Ares after the Greek god of war. The find is significant with far-reaching impact, considering the Ares Botnet targets the rapidly growing number of Set-Top Boxes in the market today that are used to stream media from popular services.

According to a 2019 report from Marketresearch.biz, the global set-top box market was valued at US $17 billion in 2017 and is expected to grow at a rate of 4.3%. 

Using its HyperContext Device Security Solution, WootCloud uncovered the Ares Botnet by identifying suspicious behavior on Android Set-Top Boxes including HiSilicon (owned by Huawei Corp), Cubetek and Qezy Media.

In tracking the state of Android threats, WootCloud focused its research on the exploit and misuse of the Android ADB protocol, the communication component that is used by the majority of Android devices and associated clients to debug and remotely manage Android devices.

“The biggest threat associated with these Android Set-Top Boxes, apart from the Ares vulnerability that we discovered, is the presence of an open and unauthenticated ADB service running on internet-connected devices,” said Srinivas Akella, founder and CTO of WootCloud.  “Unless we stay vigilant, the probability is huge that any enterprise or consumer could find themselves a victim to hacking attacks through these Set-Top Boxes and, down the line, even by way of the Smart TVs and other Consumer IoT devices. WootCloud is committed to release to the public threats like Ares, providing information as well as fixes that people and businesses need to stay ahead of a wide range of vulnerabilities, exposures and exploits. We have done this in the past when we exposed multiple Botnets in Polycom HDX devices and we will soon be releasing further research on compromised printers and other commercial IoT devices.”

Unless nipped at this stage with remediation strategies, Ares could be used to trigger even bigger infections and threaten Android-based TVs and other devices. According to Strategy Analytics research, one in 10 Smart TVs runs on the Google Android Operating System1.  In addition, according to reports from the Android Team in May of 2019, the Android Operating System (OS) is also used in mobile devices and smart-watches as well as Internet-of-Things (IoT) devices. The total number of Android devices that are active today total 2.5 million2.

“The Ares Botnet has the potential to be a powerful base by which attackers could conduct a wide range of malicious activities,” added Akella. “We’ve already witnessed this in action as hackers have to date launched major threats to the Android-based devices including malware for crypto-mining, mobile spying and data and information theft.”

More About the Ares Botnet Discovery

Using WootCloud’s HyperContext Device Security Solution, WootCloud discovered the new Ares Botnet and found that the primary vector to infect and spread the Ares ADB bot is via the ADB interface. Attackers exploit the inherent configuration issue or exposed ADB remote management and debug interface to install the Ares bot on Android-based devices, mostly Set-Top Boxes and TVs. Once the bot is installed on these devices, it propagates by launching scanners to fingerprint and detect more devices via the ADB interface. 

In addition, WootCloud Labs further established that the compromised devices were being used to trigger additional attacks, like crypto-mining and dictionary attacks. A full analysis of the functionality and nature of the Ares ADB Botnet, along with suggested counter-measures, is available from WootCloud Labs.

About WootCloud Labs

WootCloud Labs, the research division of WootCloud, uses Artificial Intelligence, Machine Learning and Neural Network technology to identify cybersecurity threats worldwide on the vast number of IoT devices that are active on enterprise networks.

About WootCloud

WootCloud, a Silicon Valley company is the only enterprise device security solution provider to leverage both radio and network characteristics to neutralize IoT threats. WootCloud's HyperContextTM platform uses a machine learning-driven, security approach to establish deep context about all devices including corporate devices like laptops and printers as well as IoT devices. The HyperContext platform empowers security and IT teams to identify both managed and unmanaged devices and proactively control access. The company’s scalable, agentless deployment capabilities, covering 100 percent of a network, enables actionable insights to detect behavioral anomalies in near real time. A venture backed firm, WootCloud is headquartered in San Jose, California, with offices in India and Argentina. 

Media Contact:
Andrea Corry
TopMind PR
(925) 640-5482
andrea@topmindpr.com