Security researchers team up to take down Android-based DDoS botnet, WireX

A team of researchers from technology firms Akamai, Cloudflare, Flashpoint and RiskIQ, among others, have thwarted a lethal botnet called WireX, which was being used for creating DDoS (Distributed Denial of Service) traffic. The botnet primarily consists of Android devices running malicious apps.

At the moment, it's not clear how much damage the botnet caused. But, considering that it used Android devices to attack, India could be one of the most affected countries. According to a recent May Meeker report, Indians spend the maximum time on Android devices. India is also among top nations which look for free apps on the Google Play Store. According to AppAnnie report for 2016, India beat the US in terms of maximum app downloads.

While internet penetration is growing in India, a low awareness has resulted in India being one of the most vulnerable countries to malware, web application-based attacks. The latest botnet comes months after ransomware attacks like WannaCry and Petya affected more than 150 nations including India.

Researchers traced the first appearance of the botnet as early as August 2. The malware, however, went unnoticed initially until August 17 when it was used to target multiple Content Delivery Networks (CDNs) and content providers. According to researchers, some attacks were conducted on August 15 with some events "sourced from a minimum of 70,000 concurrent IP addresses."

"During initial observation, the majority of the traffic from this botnet was distinguished by the use of an HTTP. Variants of the malware have also been observed emitting User-Agent strings of varying length and expanded character sets, sometimes including common browser User-Agents," said the researchers in their detailed report.

"Analysis of the incoming attack data for the August 17th attack revealed that devices from more than 100 countries participated, an uncharacteristic trait for current botnets. The distribution of the attacking IPs along with the distinctive User-Agent string led the researchers who began the initial investigation to believe that other organizations may have seen or would be likely to experience similar attacks," it added.

"The researchers reached out to peers in other organisations for verification of what they were seeing. Once the larger collaborative effort began, the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system," said the report.

According to researchers, Google was informed about the malware a few days ago. In response, Google took down hundreds of infected applications and even started to remove the apps from all devices.

A lot of apps, infected with the botnet, belonged to popular categories such as media/video players, ringtones or tools like storage managers and app stores with extra features. Interestingly, end users could not identify that their apps were infected with the botnet.

Upon launching the infected app, "the nefarious components begin their work by starting the command and control polling service which queries the command and control server, most commonly g.axclick.store, for attack commands. When attack commands are received, the parsing service inspects the raw attack command, parses it and invokes the attacking service with the extracted parameters," the researchers explained.

"The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them. These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use," they added.