Millions of Android devices threatened by botnet malware — what to do

Android malware botnet attack
(Image credit: Shutterstock)

Chinese researchers say millions of Android devices, including smartphones, tablets, TVs and set-top boxes, are threatened by new malware that wants to draft the devices into a giant botnet.

The botnet malware, which the researchers at Qihoo 360's Netlab are calling "Matryosh" because its functions are layered like a Russian matryoshka nesting doll, using the Android Debug Bridge (ADB) interface to infect devices.

If your devices is infected by Matryosh, you may notice it heating up or slowing down when the botnet is active. But overall, you may not notice anything, which is one reason you should install one of the best Android antivirus apps on your device if possible.

ADB, botnet, DDoS — what?

ADB is an Android developer feature used during software development. It should be disabled on consumer devices, but many shoddy Android device makers leave ADB on when devices ship to market. 

Devices that don't have ADB enabled won't be infected by the Matryosh botnet or several other forms of Android malware that use it as access.

A botnet is a collection of internet-connected devices infected by malware that uses them to carry out directed denial-of-service (DDoS) attacks, send out or relay spam emails, or even combine their computing power to crack passwords, among other uses. 

A DDoS attack occurs when thousands or even millions of devices bombard a single web server with so many requests for data that the server can't connect to the outside world and is effectively knocked offline. 

According to Qihoo Netlab, the Matryosh botnet malware is a variation on the Mirai botnet. The Mirai malware infected thousands of Linux-based routers and other smart-home devices in October 2016 to stage a massive DDoS attack that briefly knocked out internet service on the East Coast of the United States. 

Like Mirai, Matryosh doesn't do anything fancy in the long run. It's designed to stage DDoS attacks. But it uses a complicated setup process involving the Tor hidden network to evade detection by network monitors.

How to disable ADB on your Android device

Here's how to make sure ADB is disabled on your Android device, whether it's a mobile device, a TV or a set-top box. This is a very generic set of instructions, so the steps on your device may not be exactly the same.

  1. Find the Settings menu and open it.
  2. Open System and look for an item named Developer Options, Developer Mode or maybe just Developer.
  3. If some sort of developer option is not available, you're probably fine, but skip to the next set of instructions for how to really make certain.
  4. If Developer Options/Mode is in your System settings, tap it and look for USB Debugging or Debugging.
  5. Make sure USB Debugging is toggled off.
  6. Unless you're going to be using Developer Options/Mode, toggle that off as well.

Turning off developer mode

Because Android device menus vary widely, it might be worth turning on Developer Mode/Options anyway, then turning it off, just to make sure ADB is really turned off. Here's how.

  1. Find the Settings menu and open it.
  2. Find "About Phone", "About Device," "About" or something similar and tap on it.
  3. Find "Build Number" and tap or click on it seven times. (On some devices, it's only three times.)
  4. You'll get a message that you're now in Developer Mode.
  5. Follow steps 2, 4, 5 and 6 above to make sure ADB is disabled and Developer Mode is turned off.
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.