Tech firms band together to take down Android DDoS botnet

An ad-hoc alliance of tech firms has managed to seriously cripple an Android-based botnet that was being actively used to DDoS multiple content providers.

The botnet, dubbed WireX by the researchers, consisted of Android devices with malicious apps installed. In fact, in the wake of the discovery, Google has pulled some 300 such apps from Google Play, began removing them remotely from affected users’ devices, and blocked them from being installed.

destroy Android DDoS botnet

The malicious apps

The apps were an assortment of media/video players, ringtone apps, storage managers and app stores. They even worked as they were supposed to, but in the background they were sending out HTTP GET requests to target sites.

“These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use,” the researchers explained in a blog post, exact copies of which were published by most of the companies involved in the takedown.

“Antivirus scanners currently recognize this malware as the ‘Android Clicker’ trojan, but this campaign’s purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS.”

Some of the apps are still available for download from mirror sites, but Google’s Play Protect should prevent them from being installed on most Android devices.

The botnet attacks

“The first available indicators of the WireX botnet appeared on August 2nd as minor attacks that went unnoticed at the time. It wasn’t discovered until researchers began searching for the 26 character User-Agent string in logs. These initial attacks were minimal and suggest that the malware was in development or in the early stages of deployment,” the researchers noted.

Starting on August 15th, more prolonged attacks began to surface, and some of them involved over 70,000 concurrent IP addresses. This could mean as many devices, or less devices with changing IP addresses.

WireX is a volumetric DDoS attack at the application layer. But what makes this botnet special is that it consists of Android devices, can make it seem like the requests it send to sites are legitimate, and can encrypt the attack traffic.

As Chad Seaman, a senior engineer at Akamai, explained to Brian Krebs, the latter two capabilities can make attack mitigation considerably more difficult, as it’s difficult for defenders to tell apart legitimate and DDoS traffic.

Industry collaboration

The fast takedown of this botnet is the result of many things, including Google’s ability to “disinfect” affected Android devices remotely and the fact that researchers from Akamai, Cloudflare, Flashpoint, Google, RiskIQ, Team Cymru, and other organizations banded together.

“These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms. Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery,” the researchers pointed out.

“The best thing that organizations can do when under a DDoS attack is to share detailed metrics related to the attack. With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible.”