top of page
perceptive_background_267k.jpg

Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks

Published:

5 January 2026 at 16:41:00

Alert date:

5 January 2026 at 18:02:20

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware

The Kimwolf botnet has infected over 2 million Android devices by exploiting exposed ADB (Android Debug Bridge) interfaces and tunneling through residential proxy networks. The botnet operators are monetizing their infrastructure through multiple revenue streams including forced app installations, selling residential proxy bandwidth access, and offering DDoS-for-hire services. The campaign demonstrates sophisticated techniques for device compromise and monetization at scale, representing a significant threat to Android device security globally.

Technical details

Kimwolf is an Android botnet variant of AISURU that has infected over 2 million devices through residential proxy networks. The botnet targets Android devices running exposed Android Debug Bridge (ADB) services, with 67% of infected devices being unauthenticated with ADB enabled by default. The malware turns infected systems into conduits for relaying malicious traffic and orchestrating DDoS attacks. The main payload listens on port 40860 and connects to 85.234.91[.]247:1337 for command and control. The botnet monetizes through app installs, selling residential proxy bandwidth, and DDoS functionality. Infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with approximately 12 million unique IP addresses observed per week.

Mitigation steps:

Proxy providers should block requests to RFC 1918 addresses (private IP address ranges). Organizations should lock down devices running unauthenticated ADB shells to prevent unauthorized access. IPIDEA implemented a security patch on December 27 to block access to local network devices and various sensitive ports.

Affected products:

Android devices
Android Debug Bridge (ADB)
Android-based smart TVs
set-top boxes
IPIDEA proxy network
Plainproxies Byteconnect SDK

Related links:

https://synthient.com/blog/a-broken-system-fueling-botnets
https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html
https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html
https://github.com/synthient/public-research/tree/main/2026/01/kimwolf
https://www.ipidea.io
https://www.rfc-editor.org/rfc/rfc1918
https://en.wikipedia.org/wiki/Private_network

Related CVE's:

Related threat actors:

IOC's:

85.234.91[.]247:1337, port 40860, 119 relay servers used by Plainproxies Byteconnect SDK

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page