ake78 (3D & photo) - Fotolia

Google removes Play Store apps used in WireX DDoS botnet

Google has axed around 300 Play Store apps after security researchers revealed the apps were hijacking Android devices to carry out DDoS attacks

Security researchers have discovered that hundreds of seemingly benign apps in Google’s Play Store have been infecting Android devices with botnet malware.

The malicious apps were mainly media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to users.

Google has axed the offending apps and is removing the applications from infected devices that were hijacked into a botnet used for distributed denial of service (DDoS) attacks.

The malicious apps took advantage of features of the Android service architecture allowing applications to use system resources to launch attacks, even while in the background and not in use.

This discovery of malicious apps in the Google Play Store and other Android app stores further underlines the need for Android users to check carefully the permissions of any apps they download.

Researchers from AkamaiCloudflareFlashpoint, Google, Oracle, Dyn, RiskIQ, Team Cymru, and other organisations, including the FBI, cooperated to halt “significant attacks” by the botnet on 17 August 2017.

Targeted organisations were hit by requests from hundreds of thousands of IP addresses from more than 100 countries, with at least 70,000 Android devices believed to have been infected.

Multiple content delivery networks (CDNs) and content providers were targeted by the botnet, dubbed WireX, with some receiving ransom demands, the researchers said in a joint blog post.

WireX is a volumetric DDoS attack at the application layer, the researchers said, and while the traffic generated by the attack nodes is primarily HTTP GET requests, some variants appear to be capable of issuing Post requests.

According to the researchers, information-sharing groups and collaboration among peers to solve internet-wide attacks have seen a resurgence in the wake of the Mirai botnet attacks and have been further strengthened by the WannaCry, [Not]Petya and other global events.

Read more about DDoS attacks

Like the Mirai botnet, WireX was designed to harness the power of hundreds of thousands of connected devices making up the internet of things (IoT) to carry out DDoS attacks.

The discoveries about the WireX botnet attacks were only possible due to open collaboration between DDoS targets, DDoS mitigation companies and intelligence firms, the researchers said.

“Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery,” they said.

The researchers encouraged organisations that come under DDoS attacks to share detailed metrics related to the attack to help them learn more about and dismantle the attacks.

“The working group was able to connect the dots from the victim to the attacker,” said Allison Nixon, director of security research at Flashpoint.

“The group also used the information to better mitigate the attack and dismantle the botnet, and this was completed very quickly,” she said.

According to Nixon, a botnet of this extreme size is concerning for the sake of the Internet as a whole. “I want to especially thank the organisations who are attacked with DDoS traffic and are kind enough to share detailed information about the attacks. These contributions are vitally important to dealing with these global threats,” she said.

News of the WireX attacks comes as Corero Network Security published data from freedom of information (FOI) requests that shows UK providers of critical national infrastructure (CNI) are not doing enough to address DDoS attacks.

While DDoS attacks represent a serious challenge to security and availability for operators of essential services, Corero points out that low volume, short duration DDoS attacks are also a threat.

Due to their small size, these “stealth” DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network by installing malware.

The FOI data collected by Corero shows that 51% of responding UK critical infrastructure organisations are potentially vulnerable to DDoS attacks because they do not detect or mitigate short-duration surgical DDoS attacks on their networks.

Read more on Hackers and cybercrime prevention