Micro Focus is now part of OpenText. Learn more >

You are here

You are here

WireX: Horrible Android DDoS botnet neutered by collaboration

Richi Jennings Your humble blogwatcher, dba RJA

A loose confederation of information security and CDN companies has gotten together to fight a nasty new botnet of Android phones. And it turned out to be a huge deal: Hundreds of thousands of zombie devices were hammering their victims with web traffic that was really hard to filter.

And the kicker? The malware was actually downloaded from Google’s own Play Store, hidden inside around 300 apps.

Dubbed WireX, the botnet should not be confused with Wires-X (a ham radio repeater network), WireX Systems (a network forensics vendor), or Wirex (the Bitcoin debit card). In this week’s Security Blogwatch, we carefully avoid crossing the streams.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  IIB+GoT=awesome 

When phones attack

What’s the craic? Brian Krebs cycles in: [You’re fired—Ed.]

This unusual level of cross-industry collaboration caps a successful effort to dismantle ‘WireX,’ an extraordinary new crime machine. … A new class of attack tools that are more challenging to defend against and thus require broader industry cooperation to defeat.

Approximately 300 different mobile apps scattered across Google‘s Play store … were mimicking seemingly innocuous programs. [But they] bundled a small program that would launch quietly in the background and cause the infected mobile device to surreptitiously connect to an Internet server used by the malware’s creators.

Multiple antivirus tools currently detect the WireX malware as a known click fraud malware variant. [And] it is the botnet’s ability to generate what appears to be regular Internet traffic from mobile browsers that strikes fear in the heart of experts. … It can be far more difficult and time-consuming than usual for defenders to tell WireX traffic apart from clicks generated by legitimate Internet users.

According to the … consortium, the smartest step that organizations can take when under a DDoS attack is to talk to their security vendor(s) and make it clear that they are open to sharing detailed metrics related to the attack.

What, and how many, and why? Iain Thomson offers Tech firms take down WireX Android botnet:

[The] subverted apps [were] seemingly innocuous apps like media players and ringtones. … Infected apps were still running the advertised functions … but were hiding other system processes under names like Device Analysis, Data Storage and Package Manager.

Estimates of the total botnet's size vary … but it's thought to be in the low six figures … and spread over users in 100 countries.

The case also highlights yet another failure of Google's [PlayProtect] machine learning system, which is supposed to find and block malware-laden apps. … While malware does occasionally make its way into the Apple App Store, it's relatively rare. That Google, with all its resources, can't do the same isn't very impressive.

Oh, and who? The group explains How Industry Collaboration Disrupted a DDoS Attack:

Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet … in the best interest of the internet community as a whole. … The researchers who began the initial investigation believe[d] that other organizations may have seen … similar attacks. The researchers reached out to peers [and] the investigation began to unfold rapidly.

In the wake of the Mirai attacks, information sharing groups have seen a resurgence. … WannaCry, Petya and other global events have only strengthened the value of this collaboration. Many information sharing groups, such as this one, are purely informal communications amongst peers across the industry.

These discoveries were only possible due to open collaboration. … Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.

But what of Google’s involvement? Mohit Kumar greatly underestimates the size, at An Army of Thousands:

Google has identified and already blocked most of 300 WireX apps, which were mostly downloaded by users in Russia, China, and other Asian countries.

If your device is running a newer version of the Android operating system that includes Google's Play Protect feature, the company will automatically remove WireX apps from your device.

Wait. Pause. What's this that Scott “@ScottWLovesYou” Weingartner says?

That story doesn't outright claim any of the apps were ever found in the Play Store. It tries to trick you into thinking it though.

It's just, don't call blocking an app removing it. And provide an actual list if they were there.

In related news, Google is expanding its Play Protect branding. Here’s Abner Li, with Google announces ‘Certified Android devices,’ Google Play Protect branding on packaging:

To feature the Play Store and run Google’s first-party apps, Android manufacturers have always had to meet certain requirements. Google is now … branding phones and tablets that follow certifications as “Certified Android devices.” This … coincides with Google Play Protect branding being featured on retail packaging.

Google is now better advertising this certification to likely distinguish from devices that just fork Android, which is a more common occurrence in developing markets. A key part of this new initiative is Google Play Protect.

The Play Protect logo will begin gracing retail packaging for Android phones and tablets. The company is encouraging consumers to look for this logo when shopping.

But Gator352 sounds slightly sarcastic:

Will be totally secure until it isn't. But I digress, the logo on the box fulfills my every desire of Android being 100% secure.

A-a-and when there’s a story that doesn’t exactly show Android in its best light, we can always rely on the skills of @JonyIveParody:

Android phones have more RAM than iPhones because they need more memory to run all that malware and spyware in the background.

Meanwhile, do you remember when NatGeo was a serious TV channel? Jim “@JNitterauer” Nitterauer‏ does:

When Phones Attack.

The moral of the story? Don’t keep your data to yourself. Instead, learn to share with your industry peers—even competitors—for the greater good of the Internet.

And finally …

All right, stop. Collaborate and listen … to "Ice Ice Baby" vs. "Game of Thrones"

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Norebbo Stock Illustration and Design (cc0)

Keep learning

Read more articles about: SecurityInformation Security