Hundreds of thousands of home routers, IP cameras and other internet-of-things devices have been infected with malware over the past year and have been used to launch some of the largest distributed denial-of-service (DDoS) attacks ever recorded. Attackers are now doing the same with Android devices, with the help of malicious applications hosted on Google Play and other third-party app stores.
A joint investigation by the security teams from Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru has led to the discovery of a large botnet made up of over 100,000 Android devices located in more than 100 countries. The investigation was launched in response to large DDoS attacks that have hit several content providers and content delivery networks over the past few weeks.
The goal behind DDoS attacks is to flood servers with bogus traffic in order to use up their available internet bandwidth or their CPU and RAM resources so they can no longer serve requests from legitimate users. Servers are typically configured to handle a certain number of concurrent connections based on the estimated number of visitors that they’re expected to receive. Load balancers, firewalls and other anti-DDoS technologies are used to limit the negative impact of any sudden traffic spikes, but with enough firepower, attackers can disrupt even the most well-protected networks.
This particular Android botnet, which has been dubbed WireX, was used to send tens of thousands of HTTP requests that were meant to resemble those coming from legitimate browsers. The researchers were able to establish a pattern to the User-Agent string reported by the rogue clients and traced them back to malicious Android applications. Some of the applications were available in third-party app stores that came pre-installed on devices, but around 300 of them were hosted on Google Play.
“Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected,” the researchers said in a report.
Most of the rogue applications requested device administrator permissions during installation, which allowed them to launch a background service and participate in DDoS attacks even when the applications themselves were not actively used or when the devices were locked.
Google has removed the malicious applications from Google Play and started to remotely remove them from affected devices as well. Furthermore, the Play Protect feature which runs locally on Android devices prevents these apps from being reinstalled, the researchers said.
Some antivirus products detect the malicious applications as an “Android Clicker” Trojan which might suggest that the botnet’s original purpose was click fraud, a method of earning revenue from fraudulent clicks on advertisements. However, by the time it was discovered, the botnet had clearly been repurposed for DDoS and was receiving attack instructions from command-and-control servers hosted under the same domain name.
This is not the first Android-based DDoS botnet ever found, but it is certainly the largest. At the peak of the attacks, the researchers observed malicious traffic coming from over 120,000 unique IP addresses per hour. Last year, security firm Imperva uncovered a similar botnet that was used to launch DDoS attacks from around 27,000 infected Android devices.
While Google is making significant efforts to keep malware off Google Play and constantly scans the apps hosted on its platform, this is not the first time when malicious applications have made it past its defenses. Just last week, the company removed applications that were using an advertising toolkit with spying capabilities and in May the company removed around 40 apps that included click fraud functionality.