Skip to content
PortsDB

Port reference

Port 5555 (TCP) – Android Debug Bridge (ADB)

TCP/IP listener for Android Debug Bridge — a full developer shell into Android devices.

tcpRegisteredCommonly attacked

Default state

Open when ADB-over-TCP is enabled. Commonly left exposed on rooted phones, IoT, TV boxes, and dev boards.

Common attacks

  • Unauthenticated shell access to the device over ADB
  • Silent app/APK installation and malware deployment
  • Cryptomining worms (e.g. ADB.Miner / Trinity) spreading device to device
  • Data theft, screen capture, and command execution as the shell user

Hardening

  • Disable ADB over TCP/IP (adb usb) and turn off Developer Options when not needed
  • Never expose 5555 to the internet or untrusted networks
  • Enforce ADB authorization (RSA key prompt) and reject unknown hosts
  • Firewall/segment IoT and TV devices away from the internet
  • Keep device firmware patched and avoid sideloaded/rooted exposure

nmap snippet

nmap -p5555 -sV <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5555?

Port 5555 is the default TCP/IP listener for the Android Debug Bridge (ADB), the developer tool used to shell into Android devices, push and install APKs, read logs, and run commands. Normally ADB runs over USB, but ADB-over-TCP exposes the same powerful interface on the network — common on rooted phones, TV boxes, set-top devices, and Android-based IoT.

Why it matters for security

ADB grants a developer shell with broad control of the device. When ADB-over-TCP is enabled and the RSA authorization step is missing or disabled, anyone who reaches 5555 gets an unauthenticated shell: they can install apps, read files, capture the screen, and run arbitrary commands. Vast numbers of consumer devices ship this way and end up exposed on the internet.

How it's attacked

Botnets continuously scan for open 5555 and connect over ADB with no authentication. Worms such as ADB.Miner / Trinity install cryptominers and then use each infected device to scan for the next victim, spreading device to device across phones, TVs, and IoT. The same access enables malware installation, data theft, and full command execution.

Hardening checklist

Disable ADB over TCP/IP (adb usb) and turn off Developer Options when you are not actively debugging. Never expose 5555 to the internet or untrusted networks, and enforce ADB authorization so unknown hosts are rejected. Firewall and segment IoT and TV devices away from inbound access, and keep firmware patched. The nmap snippet above fingerprints the service on devices you are authorized to test.

Related ports

Port 5037Port 5900Port 4444Port 23

Frequently asked questions

Is ADB on port 5555 authenticated?
ADB has an RSA-key authorization prompt, but devices with ADB-over-TCP enabled and authorization disabled accept anyone. Exposed 5555 then gives a full unauthenticated device shell.
What is ADB.Miner?
A worm that scans for open 5555 ports, connects over ADB without authentication, installs a cryptominer, and uses the device to scan for more victims — spreading across phones, TVs, and IoT.