The Matryosh botnet goes after Android devices that have ADB enabled and uses them in orchestrated DDoS attacks. It uses the encrypted Tor network to mask its malicious traffic. The botnet is named after the Russian nesting dolls because the encryption algorithm it uses, and the process of obtaining command and control (C2) are nested in layers. Some vendors are shipping Android devices with port 5555 open. This allows developers to communicate with devices remotely in order to control a device and execute commands, but it also creates a backdoor for any other attackers.”]
Source: https://blog.malwarebytes.com/malwarebytes-news/2021/02/android-devices-caught-in-matryosh-botnet/