Move over, IoT. Attackers are abusing a new widely used platform to knock out sites.
Now, for one of the first times, researchers are reporting a new platform recently used to wage powerful denial-of-service attacks that were distributed among hundreds of thousands of poorly secured devices: Google’s Android operating system for phones and tablets. The botnet was made up of some 300 apps available in the official Google Play market. Once installed, they surreptitiously conscripted devices into a malicious network that sent junk traffic to certain websites with the goal of causing them to go offline or become unresponsive.
At its height, the WireX botnet controlled more than 120,000 IP addresses located in 100 countries. The junk traffic came in the form of HTTP requests that were directed at specific sites, many of which received notes ahead of time warning of the attacks unless operators paid ransoms. By spreading the attacks among so many phones all over the world and hiding them inside common Web requests, the attackers made it hard for the companies that defend against DDoS attacks to initially figure out how they worked. The attacks bombarded targets with as many as 20,000 HTTP requests per second in an attempt to exhaust server resources.
A volume of 20,000 requests per second may not sound like a big attack, but, depending on where they are directed, they can be significant. By funneling them into a target’s search page, for instance, the malicious requests can consume major amounts of computing power. Justin Paine, a researcher with one of seven security organizations that helped to neutralize WireX, said he and his colleagues believe the takedown came as the botnet was still in its infancy, as operators were in the process of increasing its firepower.
“We believe we identified this botnet and took action while it was still in the early stages of growing,” Paine, who is head of trust and safety at content delivery network Cloudflare, told Ars. “Luckily, the efforts of this group detected and took action against this botnet before it had a chance to grow much larger.”
The other companies involved in the takedown are: Akamai, Flashpoint, Google, Oracle-owned Dyn, RiskIQ, and Team Cymru.
The takedown was the result of researchers from all seven organizations pooling individual pieces of data they had access to in an attempt to figure out what was causing a series of attacks that is believed to have started on August 2. The researchers quickly found that all of the browsers involved identified themselves with the 26 lowercase English letters in random orders. That clue helped researchers discover that all the attacks were coming from malicious apps running on Android devices. The researchers soon identified the app name
twdlphqg_v1.3.5_apkpure.com.apk. Searches eventually identified the 300 apps so that Google could block them from the company-hosted marketplace and remove them from infected devices.
In many cases, the apps masqueraded as media players, storage managers, or ringtones. Behind the scenes, the infected devices sent the requests to targeted sites in lockstep with other infected devices. The apps were programmed to run in the background so that infected devices participated in attacks even when the apps weren’t actively being used. The researchers aren’t disclosing the names of the malicious apps. Antivirus products for Android will identify the malicious apps as the “Android Clicker” trojan, a reference to an earlier period when the malware was used in click-fraud scams that generate revenue by causing devices to click on ads. A report the companies published Monday also provides command-and-control servers and other details that may be helpful indicators of compromise to more technically experienced end users.
Paine said WireX is “one of the first, and certainly one of the biggest, Android-based DDoS botnets.” Last year, researchers from DDoS-mitigation service Incapsula reported a separate Android-based DDoS botnet.
With the advent of botnet software with names including Mirai and Bashlight, poorly secured digital video recorders and other so-called Internet of things devices have emerged as key threats to Internet stability. The blight is largely the result of several manufacturing decisions, including having the same default administrative password in each device and, in some cases, featuring remote administrative control that’s turned on by default. By infecting Android apps available in Google Play, DDoS attackers are now exploiting an age-old weakness in another widely used platform.
Post updated to reflect last year’s report of a different Android-based botnet.