WireX Android DDoS Botnet
Do you believe that just because you have downloaded an
app from the official app store, you're safe from malware?
Think twice before believing it.
Think twice before believing it.
An extraordinary new crime machine comprising tens
of thousands of hacked Android mobile devices that was used this
month to launch a series of massive cyber attacks.
Experts involved in the takedown warn that WireX marks
the emergence of a new class of attack tools that are more challenging to
defend against and thus require broader industry cooperation to defeat.
WireX’s emergence first surfaced August 2, 2017, when a
modest collection of hacked Android devices was first spotted conducting some
fairly small online attacks. Less than two weeks later, however, the number of
infected Android devices enslaved by WireX had ballooned to the tens of
thousands.
More worrisome was that those in control of the
botnet were now wielding it to take down several large websites in the
hospitality industry — pelting the targeted sites with so much junk traffic
that the sites were no longer able to accommodate legitimate visitors.
Experts tracking the attacks soon zeroed in on the
malware that powers WireX
Approximately 300 different mobile apps scattered
across Google‘s Play store that
were mimicking seemingly innocuous programs, including video players,
ringtones or simple tools such as file managers.
Perhaps to avoid raising suspicion, the tainted Play
store applications all performed their basic stated functions. But those apps
also bundled a small program that would launch quietly in the background
and cause the infected mobile device to surreptitiously connect to an Internet
server used by the malware’s creators to control the entire network of hacked
devices. From there, the infected mobile device would await commands from the
control server regarding which Websites to attack and how.
WireX botnet was used to launch minor DDoS attacks
earlier this month, but after mid-August, the attacks began to escalate.
The "WireX" botnet had already infected over 120,000 Android smartphones at its peak earlier this month, and on 17th August, researchers noticed a massive DDoS attack (primarily HTTP GET requests) originated from more than 70,000 infected mobile devices from over 100 countries.
If your website has been DDoSed, look for the following pattern of User-Agent strings to check if it was WireX botnet.
Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.
The "WireX" botnet had already infected over 120,000 Android smartphones at its peak earlier this month, and on 17th August, researchers noticed a massive DDoS attack (primarily HTTP GET requests) originated from more than 70,000 infected mobile devices from over 100 countries.
If your website has been DDoSed, look for the following pattern of User-Agent strings to check if it was WireX botnet.
Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.
Instead, WireX apps wait patiently for commands from its command and control servers located at multiple subdomains of "axclick.store."
Google has identified and already blocked most of 300 WireX apps, which were mostly downloaded by users in Russia, China, and other Asian countries, although the WireX botnet is still active on a small scale.
If your device is running a newer version of the Android
operating system that includes Google's Play Protect feature, the company will
automatically remove WireX apps from your device, if you have one installed.
Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.
Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.
Android malware continues to evolve with more sophisticated and never-seen-before attack vectors and capabilities with every passing day.
Just at the beginning of this week, Google removed over 500 Android apps utilizing the rogue SDK that secretly distribute spyware to users from its Play Store marketplace.
Last month, we also saw first Android malware with code injecting capabilities making rounds on Google Play Store.
Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.
Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.
Android malware continues to evolve with more sophisticated and never-seen-before attack vectors and capabilities with every passing day.
Just at the beginning of this week, Google removed over 500 Android apps utilizing the rogue SDK that secretly distribute spyware to users from its Play Store marketplace.
Last month, we also saw first Android malware with code injecting capabilities making rounds on Google Play Store.
Comments
Post a Comment