Last year, security firm Imperva uncovered a similar botnet that was used to launch DDoS attacks from around 27,000 infected Android devices. At the peak of the attacks, the researchers observed malicious traffic coming from over 120,000 unique IP addresses per hour. This is not the first Android-based DDoS botnet ever found, but it is certainly the largest. However, by the time it was discovered, the botnet had clearly been repurposed for DDoS and was receiving attack instructions from command-and-control servers hosted under the same domain name. Some antivirus products detect the malicious applications as an "Android Clicker" Trojan which might suggest that the botnet's original purpose was click fraud, a method of earning revenue from fraudulent clicks on advertisements. Furthermore, the Play Protect feature which runs locally on Android devices prevents these apps from being reinstalled, the researchers said. Google has removed the malicious applications from Google Play and started to remotely remove them from affected devices as well. Most of the rogue applications requested device administrator permissions during installation, which allowed them to launch a background service and participate in DDoS attacks even when the applications themselves were not actively used or when the devices were locked. "Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected," the researchers said in a report. Some of the applications were available in third-party app stores that came pre-installed on devices, but around 300 of them were hosted on Google Play. The researchers were able to establish a pattern to the User-Agent string reported by the rogue clients and traced them back to malicious Android applications. This particular Android botnet, which has been dubbed WireX, was used to send tens of thousands of HTTP requests that were meant to resemble those coming from legitimate browsers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |