Kimwolf Android Botnet Compromises Over 2 Million Devices via Exposed ADB and Proxy Networks
Security researchers have uncovered a large-scale Android botnet campaign, tracked as Kimwolf, which has compromised over 2 million Android devices by abusing exposed Android Debug Bridge (ADB) services and commercial residential proxy networks.
According to analyses by Synthient and independent research teams, the campaign has been active since at least August 2025, primarily targeting Android-based smart TVs, set-top boxes, and IoT devices that often ship with ADB enabled by default and without authentication.
Campaign mechanics
Attackers scan the internet for exposed ADB interfaces and leverage residential proxy infrastructure to silently deploy malware. Once infected, devices are enrolled into a botnet used for:
large-scale DDoS attacks
residential proxy monetization
credential-stuffing campaigns
deployment of secondary monetization SDKs
Researchers estimate that nearly two-thirds of compromised devices run unauthenticated ADB, significantly lowering the barrier for mass exploitation.
Botnet evolution and proxy ecosystem abuse
Kimwolf was first publicly documented by QiAnXin XLab, which identified technical overlaps with another Android botnet known as AISURU, suggesting Kimwolf may represent its evolutionary variant.
The campaign also leverages commercial proxy SDKs, highlighting a growing convergence between cybercriminal operations and legitimate proxy service ecosystems. Parts of the infrastructure have additionally been linked to attacks against email services and popular web platforms.
DIAMATIX Perspective
Kimwolf demonstrates how poorly secured Android and IoT environments continue to fuel large-scale botnet operations. Exposed ADB services, combined with proxy-based delivery, allow attackers to evade traditional perimeter defenses.
Organizations should:
disable unauthenticated ADB access
restrict access to private IP ranges
monitor anomalous proxy and outbound traffic
apply continuous SOC monitoring and threat hunting
Trusted · Innovative · Vigilant
Sources:
Synthient Research; QiAnXin XLab; The Hacker News; public Android IoT botnet analyses (2025–2026)
