An IoT botnet that first emerged in January and was using brute-force attacks to guess credentials and compromise devices is now exploiting some Android devices, as well, broadening the potential victim pool significantly.

The botnet is known as Hide and Seek and researchers at Bitdefender discovered it about eight months ago when one of their honeypots caught a bot trying a dictionary attack against Telnet. The bots typically infect IoT devices, which are soft targets for any malware that cares to have a go at them. But now the botnet has added functionality that can go after Android devices that have the Android Debug Bridge (ADB) over WiFi enabled. That feature is there for use by developers trying to fix issues with their apps, but attackers have been known to abuse it in various ways, too. The service doesn’t require any authentication and an attacker can get root access to the exposed device.

Most manufacturers disable the ADB over WiFi feature before they ship their devices, but some have been known to leave it enabled. That’s an open invitation for attackers, and some are taking advantage of it.

“The Hide and Seek botnet already packed a vast arsenal for compromising internet-connected devices, and this recent addition may enable it to amass at least another 40,000 new devices, according to a quick search on Shodan. While most potentially affected devices seem to be in Taiwan, Korea and China, some appear to be in the United States and the Russia,” Liviu Arsene, a senior threat analyst at Bitdefender, wrote in a post analyzing the new functionality of the botnet.

“Some of these devices may directly face the internet, while others may be hidden behind routers. However, this does not make them immune, as routers are among the most vulnerable internet-connected devices, accounting for 59.45 percent of the top 10 most-vulnerable devices, according to Bitdefender research.”

Nor is it just Android phones that may be vulnerable. Android runs on many other types of devices, too, including smart TVs, tablets, watches, and other gadgets. The OS also runs on some industrial devices and is used in some vehicle infotainment systems. Hide and Seek is just one of many botnets that have targeted IoT devices in the last couple of years, with Mirai being the most notorious of the bunch. While Mirai has been used for a number of different purposes, including DDoS attacks, Arsene said it’s not exactly clear what the operators behind Hide and Seek are up to.

“Considering the evidence at hand, we speculate the botnet operators are constantly adding new features to ‘enslave’ as many devices as possible, although the true purpose of the botnet remains unknown,” he said.