Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks

Published:

5 januari 2026 om 16:41:00

Alert date:

5 januari 2026 om 18:02:20

Source:

thehackernews.com

Mobile & IoT, Ransomware & Malware

The Kimwolf botnet has infected over 2 million Android devices by exploiting exposed ADB (Android Debug Bridge) interfaces and tunneling through residential proxy networks. The botnet operators are monetizing their infrastructure through multiple revenue streams including forced app installations, selling residential proxy bandwidth access, and offering DDoS-for-hire services. The campaign demonstrates sophisticated techniques for device compromise and monetization at scale, representing a significant threat to Android device security globally.

Technical details

Kimwolf is an Android botnet variant of AISURU that has infected over 2 million devices through residential proxy networks. The botnet targets Android devices running exposed Android Debug Bridge (ADB) services, with 67% of infected devices being unauthenticated with ADB enabled by default. The malware turns infected systems into conduits for relaying malicious traffic and orchestrating DDoS attacks. The main payload listens on port 40860 and connects to 85.234.91[.]247:1337 for command and control. The botnet monetizes through app installs, selling residential proxy bandwidth, and DDoS functionality. Infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with approximately 12 million unique IP addresses observed per week.

Mitigation steps:

Proxy providers should block requests to RFC 1918 addresses (private IP address ranges). Organizations should lock down devices running unauthenticated ADB shells to prevent unauthorized access. IPIDEA implemented a security patch on December 27 to block access to local network devices and various sensitive ports.

Affected products:

Android devices
Android Debug Bridge (ADB)
Android-based smart TVs
set-top boxes
IPIDEA proxy network
Plainproxies Byteconnect SDK