46.46.228.195

Summary (Bottom Line Up Front)

A Norwegian IP address (46.46.228.195) conducted sustained Android Debug Bridge (ADB) reconnaissance against network infrastructure over a 4-day period, generating over 4,300 malicious events targeting TCP port 5555. This represents a MEDIUM severity threat focused on identifying exposed Android devices or ADB-enabled systems for potential compromise. Network defenders should immediately audit ADB exposure and implement port-based blocking controls.

ADB ICMP TCP TCP/SYN

ADB_ATTACK PROTO_ABUSE

Activity Timeline

INITIAL REPORT2026-05-03T11:30:20Z

Source: Analyst Manual Entry

Technical details

The threat actor operated from 2026-04-29 18:00 through 2026-05-03 12:00, exclusively targeting ADB services on TCP port 5555. Attack patterns included 1,109 direct ADB connection attempts and multiple protocol abuse signatures indicating TCP stream manipulation techniques. The campaign utilized ADB, ICMP, TCP, and TCP SYN protocols in a coordinated scanning approach. No specific CVEs were exploited, but the activity aligns with T1046 (Network Service Scanning) reconnaissance techniques. The source IP shows no prior abuse history but demonstrates focused targeting behavior consistent with device enumeration campaigns.

IOCs

IP:46.46.228.195

COUNTRY:NO

Recommendations

Block inbound connections to TCP port 5555 (ADB) at network perimeters unless explicitly required for business operations
Audit all Android devices and development systems for unnecessary ADB exposure to external networks
Implement network segmentation to isolate development environments containing ADB-enabled devices
Monitor for unusual ADB connection attempts and establish baseline traffic patterns for legitimate development activities
Consider geo-blocking Norwegian IP ranges if no business justification exists for connections from this region

MEDIUM PROTO_ABUSE TCP:5555

SURICATA STREAM FIN1 FIN with wrong seq