Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks

Kimwolf Android Botnet Exploits ADB and Proxy Networks

The Kimwolf botnet has compromised over 2 million Android devices by exploiting exposed Android Debug Bridge (ADB) services and leveraging residential proxy networks, according to Synthient. First documented in November 2025 by QiAnXin XLab, Kimwolf is an Android variant of the AISURU botnet and is suspected of orchestrating large-scale DDoS attacks.

Why This Matters

Ideal security models assume devices are properly configured and patched, but widespread ADB exposure demonstrates a significant vulnerability in the Android ecosystem. The scale of this compromise—over 2 million devices—translates to substantial costs for DDoS mitigation, potential data breaches, and damage to the reputation of proxy providers unknowingly facilitating the attacks.

Key Insights

• 67% of compromised devices have ADB enabled without authentication: This highlights a critical misconfiguration allowing easy access for malware.
• Residential Proxies as Attack Vectors: Kimwolf leverages proxy networks like IPIDEA to mask malicious traffic and target devices.
• Byteconnect SDK Monetization: The botnet utilizes the Byteconnect SDK to monetize compromised bandwidth, demonstrating a sophisticated financial motive.

Practical Applications

• Use Case: IPIDEA, a proxy provider, had its network exploited to deliver the Kimwolf malware to vulnerable devices.
• Pitfall: Relying on unauthenticated ADB access creates a significant attack surface for malware like Kimwolf.

References:

• https://thehackernews.com/2026/01/kimwolf-android-botnet-infects-over-2.html