A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones.
Dubbed WireX, detected as “Android Clicker,” the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks.
Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet. Evidence indicates that the botnet may have been active as early as August 2nd, but it was the attacks on August 17th that drew the attention of these organizations when multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks.
The first available indicators of the WireX botnet appeared on August 2nd as minor attacks that went unnoticed at the time. It wasn’t discovered until researchers began searching for the 26 character User-Agent string in logs.
WireX is a volumetric DDoS attack at the application layer. The traffic generated by the attack nodes is primarily HTTP
GET requests, though some variants appears to be capable of issuing
POST requests. In other words, the botnet produces traffic resembling valid requests from generic HTTP clients and web browsers.
During initial observation, the majority of the traffic from this botnet was distinguished by the use of an HTTP Request’s User-Agent string containing the lowercase English alphabet characters, in random order.
Some of the User-Agent values seen:
User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent: fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih
Variants of the malware have also been observed emitting User-Agent strings of varying length and expanded character sets, sometimes including common browser User-Agents. Here are some samples of other User-Agents observed:
User-Agent: xlw2ibhqg0i User-Agent: bg5pdrxhka2sjr1g User-Agent: 5z5z39iit9damit5czrxf655ok060d544ytvx25g19hcg18jpo8vk3q User-Agent: fge26sd5e1vnyp3bdmc6ie0 User-Agent: m8al87qi9z5cqlwc8mb7ug85g47u User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729) User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52) Gecko/20071018 BonEcho/184.108.40.206 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_7; en-us) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2
After further investigation, security researchers identified more than 300 malicious apps on Google’s official Play Store, many of which purported to be media, video players, ringtones, or tools for storage managers and app stores, which include the malicious WireX code.
Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.
Investigation of the logs from attacks on August 17th revealed previous attacks meeting the same signature implicated the first Android application,
Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected. At the launch of the applications, the nefarious components begin their work by starting the command and control polling service which queries the command and control server, most commonly
g[.]axclick[.]store, for attack commands. When attack commands are received, the parsing service inspects the raw attack command, parses it and invokes the attacking service with the extracted parameters.
The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them. These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use. Antivirus scanners currently recognize this malware as the “Android Clicker” trojan, but this campaign’s purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS.
PREVENTION & MITIGATION
If your device is running a newer version of the Android operating system that includes Google’s Play Protect feature, the company will automatically remove WireX apps from your device, if you have one installed.
Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.
Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.