The Android WireX Botnet neutralized thanks to cooperation of companies from the security industry
One of the most important quiet successes this month attributed to companies in the security industry is the neutralization of the WireX botnet consisting of devices with the Android system. These were mainly smartphones and tablets, sometimes also smart TV with malicious applications installed from Google Play (and how!). Thanks to the cooperation of Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others, many Android users may feel more secure today.
The attacks started on July 13 and lasted for over a month. The websites of many CDN service clients were attacked with massive DDoS at this time. This resulted in the unavailability of the site. As a consequence, it was possible to carry out attacks using susceptibility in the installed software, so you should not underestimate such incidents. All the more so because at this time, securing the server or uploading the latest updates can be significantly hampered.
In the initial phase of the attacks, HTTP requests were observed that identified devices with pseudo-random header characters:
User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent: fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih
There were also variants of malware that reported infected devices with different strings:
User-Agent: xlw2ibhqg0i User-Agent: bg5pdrxhka2sjr1g User-Agent: 5z5z39iit9damit5czrxf655ok060d544ytvx25g19hcg18jpo8vk3q User-Agent: fge26sd5e1vnyp3bdmc6ie0 User-Agent: m8al87qi9z5cqlwc8mb7ug85g47u User-Agent: Mozilla / 5.0 (Windows; U; Windows NT 5.1; nl; rv: 1.9.1b3) Gecko / 20090305 Firefox / 3.1b3 (.NET CLR 3.5.30729) User-Agent: Mozilla / 5.0 (X11; U; Linux i686; en-US; rv: 18.104.22.168) Gecko / 20071018 BonEcho / 22.214.171.124 User-Agent: Mozilla / 5.0 (Macintosh; U; PPC Mac OS X 10_5_7; en-us) AppleWebKit / 530.19.2 (KHTML, like Gecko) Version / 4.0.2
The analysis showed that the devices making up the Wirex botnet came from over 100 different countries. Initial attacks in which malware reported an infected device to a web server had the same user-agent signature. We managed to identify the culprit - a malware called "twdlphqg_v1.3.5_apkpure.com.apk".
By analyzing the various application names and parameters with which they operated, as well as the names of the authors assigned to them, the researchers managed to discover many similar malicious programs:
Experts have contacted suppliers of alternative stores and Google Play itself. Only Google Play has over 300 infected applications. Many of them have been assigned to the category of media players, ringtones, tools and file managers.
Many antivirus programs detected similar threats as "Android Clicker". The authors of the study point to an incorrect nomenclature - in their opinion, the campaign did not have much in common with frauds consisting in phishing clicks on advertisements, but just on carrying out DDoS attacks. In any case, malicious software has been removed from official and alternative app stores, but this does not completely solve the security problem. Google Play has proven more than once that it is not a secure source of software for Android.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.