Categories: Security

Botnet Launches DDoS Attacks From Thousands Of Android Devices

Researchers have identified a botnet that ran on more than 100,000 Android devices and used their internet connections to launch distributed denial-of-service (DDoS) attacks in one of the first times Google’s mobile platform has been targeted by a botnet.

The WireX botnet was discovered when a number of online content providers and content delivery networks were hit by DDoS attacks on 17 August. Researchers tracked the attacks to hundreds of malicious applications that had been downloaded from Google Play and elsewhere.

Botnet takedown

Google said it removed about 300 apps from its Play Store alone and researchers said the company’s PlayProtect no longer allows the apps involved to install.

The search giant said it’s also in the process of removing the malware from all Android devices.

The malware was also found in other well-known, preconfigured mobile app stores, researchers said.

WireX’s apps pose as utilities, media players and other innocuous-looking software. Source: Akamai

The incident is the latest in which internet-connected devices have been used to launch attacks. Last year the Mirai botnet, which infects Linux-based devices such as IP cameras and home routers, was used to carry out high-profile attacks on French hosting company OVH and DNS services provider Dyn, and has been used to carry out more attacks this year.

In this case the botnet was identified before it had developed the ability to carry out large-scale attacks, according to researchers. They observed WireX making use of more than 120,000 IP addresses and directing up to 20,000 HTTP requests per second at targets, which they called “significant”, but which is still relatively manageable.

Loading ...

Innocuous apps

DDoS attacks attempt to overwhelm server resources so that a site or resource becomes unavailable to legitimate users. Dismantling the botnets that drive such attacks can be complex due to the complexity of identifying the systems that are involved, generally without the knowledge of their legitimate users.

WireX used systems spread across more than 100 countries, which is unusual for current botnets, researchers said.

A number of companies collaborated to identify the source of the attacks, including Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others.

They determined that WireX devices presented a user agent identifier made up of the 26 letters of the English alphabet in a random order, and by searching through logs from previous incidents they determined the botnet had been used in smaller attacks as far back as 2 August. As of 15 August the botnet carried out attacks involving at least 70,000 IP addresses, researchers said.


WireX apps present themselves as software such as media or video players, ringtone modifiers or storage managers and launch a service in the background that polls a remote server for attack commands and generates out DDoS traffic. The malware uses what may be a click-fraud engine repurposed for DDoS.

Collaboration key

In one case the app involved was a bare-bones ringtone software presenting only three tones. Researchers found the DDoS engine continued to carry out attacks even when the phone’s screen was locked.

“When we left the phone on a charger and let it go to sleep, it continued to launch DDoS attacks,” they wrote in an advisory simultaneously published by Akamai, Cloudflare, Flashpoint, and RiskIQ.

The researchers emphasised the importance of collaboration to identifying WireX and urged organisations to share metrics related to attacks to help identify future malware.

“These metrics include packet captures, lists of attacking IP addresses, ransom notes, request headers, and any patterns of interest,” they wrote.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Goes On Trial In US Over Ad Tech Dominance

US trial of Google over ad tech market power begins, with forced divestiture of ad…

1 hour ago

US DOJ To Propose Google Penalties By End Of Year

US judge gives Justice Department until end of year to formulate plan for Google punishment…

8 hours ago

Trump ‘To Appoint Musk’ To Gov’t Efficiency Role If Elected

Donald Trump says he would appoint Elon Musk to lead government efficiency commission if elected,…

9 hours ago

Australian Official Received Death Threats After Musk Criticism

Australian eSafety commissioner says she received death threats after Musk criticised her for trying to…

9 hours ago

Man Arrested After ‘Earning Millions’ From AI Music Tracks

US man allegedly earned more than $10m in royalties streaming hundreds of thousands of fake…

10 hours ago

NCSC Calls Out Cyber-Attacks From Russia’s GRU

UK's NCSC and allies outline campaign of attacks from unit of Russia's military intelligence service…

10 hours ago