Fbot is a botnet that infects Android devices through the exposed Android Debug Bridge (ADB) interface. It was first discovered in September 2018 and is believed to be a variant of the Satori botnet, a Mirai variant. Fbot is notable for its unusual behavior. Instead of using its infected devices to launch DDoS attacks or mine cryptocurrency, Fbot searches explicitly for and removes other botnet malware, such as ADB.Miner. This function has led some security experts to speculate that Fbot may be a “vigilante” botnet created by someone to remove malicious software from infected devices.
However, it is also possible that Fbot is simply a new type of botnet still under development. The attackers behind Fbot may be planning to use it for malicious purposes. Regardless of its intentions, Fbot does pose a threat to mobile application security. By infecting Android devices, Fbot can access sensitive user financial and personal data, such as passwords, credit card numbers, and location information. Fbot can also be used to launch attacks against other devices and networks.
Fbot Botnet Threat Details
Similar to Mirai-based malware, Fbot scans an Android device before using known exploits to access it. Once the Fbot is installed on the device, the botnet uses OpenNIC to connect to a command-and-control server on the decentralized domain name, EmerDNS. Fbot scripts, then search and remove com.ufo.miner. The com.ufo.miner is a variant of the ADBminer cryptocurrency miner. Although Fbot contains the Satori malware’s DDoS module, it appears disabled and unused by Fbot.
Fbot Botnet Remediation
- Disable the Android Debug Bridge (ADB) interface unless you need to use it.
- Increase user awareness and education on not opening email attachments or clicking on links in unsolicited emails.
- Keep all operating systems, antivirus, and other security products current.
- Use non-administrative accounts for all day-to-day computer activities such as email and Internet browsing.
- Ensure strong password policies are in place and password reuse is discouraged.
- Monitor network, proxy, and firewall logs for suspicious activity.
- Reset compromised user accounts on a clean computer.
- Monitor ports 37125 and 52869 and disable them when not in use.