WireX DDoS Botnet Enslaves Android Devices via Infected Play Store Apps – Tech Industry Vows to Take It Down
Security experts repeatedly ask users to stick to official app stores and be cautious of downloading apps from third party stores that are mainly prevalent in countries like China. However, even when you do get your apps from the official stores, it isn't always certain they would be free of malware.
Security researchers from over half a dozen technology giants have gathered in an effort to take down a DDoS (distributed denial of service) botnet made up of Android devices. Akamai, Cloudflare, Flashpoint, Google, Oracle, Dyn, RiskIQ, Team Cymru, and other companies are trying to take down WireX botnet that first appeared earlier this month and has so far infected thousands of devices.
What is WireX botnet: 300 infected apps, tens of thousands of enslaved Android devices
WireX is a botnet that is built mostly of Android devices that have downloaded malware-infected apps distributed via the third party app stores and the official Google Play Store. The malware is being distributed by hundreds of different apps through these app stores. Once a user downloads an infected app, their phone becomes a part of this DDoS botnet.
"On August 17th, 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX. The botnet is named for an anagram for one of the delimiter strings in its command and control protocol. The WireX botnet comprises primarily Android devices running malicious applications and is designed to create DDoS traffic. The botnet is sometimes associated with ransom notes to targets." - Statement
As others, WireX botnet is also designed to conduct massive DDoS attacks. While initially this botnet was launching very small online attacks, only two weeks later, harnessing the power of tens of thousands of infected devices, the botnet started to take down several large websites mainly in the hospitality industry.
"We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices. The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere." Google
Akamai has said that the data shows "130,000 to 160,000 (unique Internet addresses) involved in the attack." However, the collaborative statement released by the tech firms puts the number of infected devices at a minimum of 70,000 Android devices. That figure is likely very conservative.
"Seventy thousand was a safe bet because this botnet makes it so that if you’re driving down the highway and your phone is busy attacking some website, there’s a chance your device could show up in the attack logs with three or four or even five different Internet addresses. We saw attacks coming from infected devices in over 100 countries. It was coming from everywhere." Akamai
Collaboration is a result of Mirai botnet
The latest collaboration between several industry giants may come as a surprise to many as this botnet's attacks don't appear to be close to the damages that some previous botnets have done. However, researchers have said that the industry started working together after Mirai took down large swathes of internet last year with no one having any mitigation plan.
"When those really large Mirai DDoS botnets started showing up and taking down massive pieces of Internet infrastructure, that caused massive interruptions in service for people that normally don’t deal with DDoS attacks," Allison Nixon of security firm Flashpoint said.
"It sparked a lot of collaboration. Different players in the industry started to take notice, and a bunch of us realized that we needed to deal with this thing because if we didn’t it would just keep getting bigger and rampaging around."
Google recently announced its Play Protect feature that scans all apps for malware before and after you install them. You can enable it from Google Play Store app by going to Menu > Play Protect icon.