Twitoor, uncovered by ESET, can plague Android devices with malicious malware
The first ever Twitter-controlled botnet has been discovered by security experts at ESET, who claim the backdoor is downloading malware onto infected Android devices.
Twitoor is a backdoor that is able to install dodgy malware and has been active for around a month, said ESET.
Porn and MMS
While the app isn’t listed on the official Android app store, it spreads to users by SMS and malicious URLs, impersonating porn players or MMS applications.
ESET said that on launch, the app masks its presence and checks the phone’s Twitter account for commands from a control server, acting as part of a botnet. When commands are received, it can download more malicious apps.
“Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” said Lukáš Štefanko, the ESET malware researcher who discovered the malicious app.
As malware that takes down devices to form botnets needs to receive instructions, that communication channel is vital to their survival, said ESET.
And to make the Twitoor botnet’s communication more resilient, botnet designers encrypted their messages and used innovative means for communication, among them the use of social networks, said ESET.
“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” said Štefanko.
Other non-traditional means of controlling Android bots have already been found in blogs or cloud messaging systems, said ESET, but Twitoor is the first Twitter-based bot malware, according to Štefanko.
“In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks”, states ESET’s researcher.
Twitoor has been found downloading versions of mobile banking malware. However, the botnet operators can start distributing other malware, including ransomware, at any time, warned Štefanko.
“Twitoor serves as another example of how cybercriminals keep on innovating their business,” Stefanko continues. “The takeaway? Internet users should keep on securing their activities with good security solutions for both computers and mobile devices.”