Application Security , DDoS Protection , Endpoint Security

Collaborative Effort Defangs WireX, an Android Botnet

WireX Launched DDoS Attacks Using At Least 70,000 Devices
Collaborative Effort Defangs WireX, an Android Botnet

Several big-name IT companies say they've collaborated to investigate and defang a botnet dubbed WireX that leveraged at least 70,000 Android devices to stage distributed denial-of-service attacks. It's perhaps the largest ever botnet to be discovered that harnesses Android devices.

See Also: Cybersecurity for the SMB: Steps to Improve Defenses on a Smaller Scale

The botnet code was tucked within hundreds of apps within Google's Play Store, the repository for Android-compatible applications, and other third-party Android app marketplaces. Researchers suspect the botnet was first intended for click fraud but then repurposed for DDoS.

"That's interesting because the sophistication of people that run those kind of [click fraud] botnets is a lot higher than what we would see in DDoS," says Nick Rieniets, senior security specialist with Akamai Australia and New Zealand. "You are seeing a convergence of those two worlds."

The malicious apps lured people by offering ringtones, free media players and Android administration tools. Inside the apps was DDoS attack code that could be directed to attack websites and services, although the victims were not identified.

Google says it has removed 300 tainted apps from its Play Store, a surprisingly high number that somehow escaped the company's security inspections for new apps. It has also tweaked Play Protect, its new app security feature, to remove infected apps from phones and block installs.

Google had put a great deal of effort into cleaning up the Play Store and proactively spotting apps that purport to be legitimate. But somehow these malicious ones slipped by.

Industry Hugs

The companies that lifted the lid on WireX - Akamai, Dyn, Flashpoint, Cloudflare and RiskIQ - issued identical press releases on Monday discussing their findings.

The somewhat unorthodox cooperation among the companies was attributed to greater cooperation following last year's Mirai IoT attacks and two bouts of virulent ransomware, WannaCry and NotPetya, earlier this year.

"I've never seen that [cooperation] in the security industry in 20 years," Rieniets says. "It's certainly the industry growing up."

The first attacks, which were little noticed, have been traced back to Aug. 2. But it wasn't until Aug. 17 that attack analysis revealed "devices from more than 100 countries participated, an uncharacteristic trait for current botnets," the companies write.

The attacks all left an Android-related signature in logs, which then prompted analysts to attempt to figure out what applications were generating the attack traffic. They found many.

The DDoS traffic looked like regular HTTP traffic, as if normal users were repeatedly browsing to one of the sites that the botnet controllers commanded the apps to attack. When a phone was attacking a site, users were completely unaware, because the attack occured in the background, even when the phone is asleep.

Did You GET that?

The tricky part of this attack is that it used GET requests, which is regular HTTP traffic. The malicious apps launched a "headless" web browser in the background, which couldn't be seen by the owner of the phone. A command-and-control server supplied a target, and the traffic began flowing to the targeted service.

Rieniets says such attacks are difficult to mitigate because the traffic looks like regular users trying to visit a site. "If you start getting a flood of GETs among normal ones from browsers and apps, it [could] be challenging for organizations to make accurate decisions" about who to block, he says.

Many ISPs run so-called "clean pipe" DDoS mitigation defenses, which attempt to only deliver the legitimate, non-bot traffic. But WireX's strategy - to look like real users - made it difficult to parse good and bad traffic.

WireX is also cleverly coded to actually respond to JavaScript challenges, Rieniets says. Most bots won't respond to JavaScript challenges, which are used to detect certain characteristics of website visitors in order to try to distinguish bots from regular users.

Constant Innovation

Why those who created WireX decided to harness Android devices remains a mystery. But it shows, like the Mirai worm last year, that there is constant innovation among attackers (see Fast-Spreading Mirai Worm Disrupts UK Broadband Providers).

"It's unusual from a DDoS perspective to see this kind of vehicle [Android] being used," Rieniets says.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.