What happened
The Kimwolf Android botnet has infected more than two million devices by exploiting exposed Android Debug Bridge (ADB) services, according to researchers at Synthient. Active since at least August 2025 and linked to the AISURU botnet, Kimwolf is used for DDoS attacks, credential-stuffing campaigns, traffic proxying, and bandwidth monetization. The malware primarily targets Android devices and smart TVs, with infections concentrated in Vietnam, Brazil, India, and Saudi Arabia. Kimwolf also abuses residential proxy SDKs to obscure attacker infrastructure.
Who is affected
Android users and organizations operating Android-based devices or smart TVs with exposed ADB services are at risk.
Why CISOs should care
Compromised IoT and Android devices can be weaponized at scale, creating hidden attack infrastructure inside corporate networks.
3 practical actions
1. Disable exposed ADB: Ensure ADB is disabled or tightly restricted on all Android and IoT devices.
2. Monitor device traffic: Watch for anomalous outbound traffic patterns linked to proxying or DDoS behavior.
3. Enforce patching: Keep Android firmware and third-party SDKs updated across managed devices.