Collaborative Effort Defangs WireX, an Android BotnetWireX Launched DDoS Attacks Using At Least 70,000 Devices
Several big-name IT companies say they've collaborated to investigate and defang a botnet dubbed WireX that leveraged at least 70,000 Android devices to stage distributed denial-of-service attacks. It's perhaps the largest ever botnet to be discovered that harnesses Android devices.
The botnet code was tucked within hundreds of apps within Google's Play Store, the repository for Android-compatible applications, and other third-party Android app marketplaces. Researchers suspect the botnet was first intended for click fraud but then repurposed for DDoS.
"That's interesting because the sophistication of people that run those kind of [click fraud] botnets is a lot higher than what we would see in DDoS," says Nick Rieniets, senior security specialist with Akamai Australia and New Zealand. "You are seeing a convergence of those two worlds."
The malicious apps lured people by offering ringtones, free media players and Android administration tools. Inside the apps was DDoS attack code that could be directed to attack websites and services, although the victims were not identified.
Google says it has removed 300 tainted apps from its Play Store, a surprisingly high number that somehow escaped the company's security inspections for new apps. It has also tweaked Play Protect, its new app security feature, to remove infected apps from phones and block installs.
Google had put a great deal of effort into cleaning up the Play Store and proactively spotting apps that purport to be legitimate. But somehow these malicious ones slipped by.
The companies that lifted the lid on WireX - Akamai, Dyn, Flashpoint, Cloudflare and RiskIQ - issued identical press releases on Monday discussing their findings.
The somewhat unorthodox cooperation among the companies was attributed to greater cooperation following last year's Mirai IoT attacks and two bouts of virulent ransomware, WannaCry and NotPetya, earlier this year.
"I've never seen that [cooperation] in the security industry in 20 years," Rieniets says. "It's certainly the industry growing up."
The first attacks, which were little noticed, have been traced back to Aug. 2. But it wasn't until Aug. 17 that attack analysis revealed "devices from more than 100 countries participated, an uncharacteristic trait for current botnets," the companies write.
The attacks all left an Android-related signature in logs, which then prompted analysts to attempt to figure out what applications were generating the attack traffic. They found many.
The DDoS traffic looked like regular HTTP traffic, as if normal users were repeatedly browsing to one of the sites that the botnet controllers commanded the apps to attack. When a phone was attacking a site, users were completely unaware, because the attack occured in the background, even when the phone is asleep.
Did You GET that?
The tricky part of this attack is that it used GET requests, which is regular HTTP traffic. The malicious apps launched a "headless" web browser in the background, which couldn't be seen by the owner of the phone. A command-and-control server supplied a target, and the traffic began flowing to the targeted service.
Rieniets says such attacks are difficult to mitigate because the traffic looks like regular users trying to visit a site. "If you start getting a flood of GETs among normal ones from browsers and apps, it [could] be challenging for organizations to make accurate decisions" about who to block, he says.
Many ISPs run so-called "clean pipe" DDoS mitigation defenses, which attempt to only deliver the legitimate, non-bot traffic. But WireX's strategy - to look like real users - made it difficult to parse good and bad traffic.
Why those who created WireX decided to harness Android devices remains a mystery. But it shows, like the Mirai worm last year, that there is constant innovation among attackers (see Fast-Spreading Mirai Worm Disrupts UK Broadband Providers).
"It's unusual from a DDoS perspective to see this kind of vehicle [Android] being used," Rieniets says.