The Android WireX Botnet neutralized thanks to cooperation of companies from the security industry

One of the most important quiet successes this month attributed to companies in the security industry is the neutralization of the WireX botnet consisting of devices with the Android system. These were mainly smartphones and tablets, sometimes also smart TV with malicious applications installed from Google Play (and how!). Thanks to the cooperation of Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others, many Android users may feel more secure today.

The attacks started on July 13 and lasted for over a month. The websites of many CDN service clients were attacked with massive DDoS at this time. This resulted in the unavailability of the site. As a consequence, it was possible to carry out attacks using susceptibility in the installed software, so you should not underestimate such incidents. All the more so because at this time, securing the server or uploading the latest updates can be significantly hampered.


More than 120,000 unique IP addresses participated in the climactic point in DDoS attacks at one time.

In the initial phase of the attacks, HTTP requests were observed that identified devices with pseudo-random header characters:

User-Agent: jigpuzbcomkenhvladtwysqfxr
User-Agent: yudjmikcvzoqwsbflghtxpanre
User-Agent: mckvhaflwzbderiysoguxnqtpj
User-Agent: deogjvtynmcxzwfsbahirukqpl
User-Agent: fdmjczoeyarnuqkbgtlivsxhwp
User-Agent: yczfxlrenuqtwmavhojpigkdsb
User-Agent: dnlseufokcgvmajqzpbtrwyxih 

There were also variants of malware that reported infected devices with different strings:

User-Agent: xlw2ibhqg0i
User-Agent: bg5pdrxhka2sjr1g
User-Agent: 5z5z39iit9damit5czrxf655ok060d544ytvx25g19hcg18jpo8vk3q
User-Agent: fge26sd5e1vnyp3bdmc6ie0
User-Agent: m8al87qi9z5cqlwc8mb7ug85g47u
User-Agent: Mozilla / 5.0 (Windows; U; Windows NT 5.1; nl; rv: 1.9.1b3) Gecko / 20090305 Firefox / 3.1b3 (.NET CLR 3.5.30729)
User-Agent: Mozilla / 5.0 (X11; U; Linux i686; en-US; rv: 1.8.1.7) Gecko / 20071018 BonEcho / 2.0.0.7
User-Agent: Mozilla / 5.0 (Macintosh; U; PPC Mac OS X 10_5_7; en-us) AppleWebKit / 530.19.2 (KHTML, like Gecko) Version / 4.0.2 

The analysis showed that the devices making up the Wirex botnet came from over 100 different countries. Initial attacks in which malware reported an infected device to a web server had the same user-agent signature. We managed to identify the culprit - a malware called "twdlphqg_v1.3.5_apkpure.com.apk".

By analyzing the various application names and parameters with which they operated, as well as the names of the authors assigned to them, the researchers managed to discover many similar malicious programs:

Experts have contacted suppliers of alternative stores and Google Play itself. Only Google Play has over 300 infected applications. Many of them have been assigned to the category of media players, ringtones, tools and file managers.

Many antivirus programs detected similar threats as "Android Clicker". The authors of the study point to an incorrect nomenclature - in their opinion, the campaign did not have much in common with frauds consisting in phishing clicks on advertisements, but just on carrying out DDoS attacks. In any case, malicious software has been removed from official and alternative app stores, but this does not completely solve the security problem. Google Play has proven more than once that it is not a secure source of software for Android.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.