Trojan Apps

By on Sep 29, 2017 in Uncategorized

Google has eliminated 300 apps from its online store after discovering a secret plugin silently installed across several Androshutterstock_220531183id devices. The seemingly innocuous apps were all secretly outfitted with the WiredX botnet. WiredX commandeers vulnerable Android phones and tablets, using the gadgets to kick off a DD0S attack. While Google does not yet have an official account of just how many devices currently host the WiredX botnet, Chad Seaman, a senior engineer at Akamai, a cyber security firm, estimates the number could reach 70,000 or more.

“I know in the cases where we pulled data out of our platform for the people being targeted we saw 130,000 to 160,000 (unique Internet addresses) involved in the attack,” said Seaman.

Silent, but Deadly

The initial WiredX outbreak occurred on August 17th, when several Content Delivery Networks (CDNS) reported similar DDoS attacks. A search for the source eventually landed at the doorstep of Google’s Play Store, prompting the tech firm to pull hundreds of affected applications from its store and initiate procedures to remove the malware from infected devices.

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” a Google spokesperson said. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”

The apps chosen to host the plugin provided genuine services, like ringtones and video players, but included hidden malware designed to commandeer the device for potential DDoS attacks. Once powered on, any infected phone or tablet mainly served as a soldier in a broader DDoS army – all unbeknownst to the user. While the apps themselves operated as promised, the malware surreptitiously connected to an internet server run by the WiredX creators. One online, the WiredX hackers used the script to remotely control all the infected devices to launch their DDoS attacks.

“…this botnet makes it so that if you’re driving down the highway and your phone is busy attacking some website, there’s a chance your device could show up in the attack logs with three or four or even five different Internet addresses,” Seaman said in an interview with KrebsOnSecurity. “We saw attacks coming from infected devices in over 100 countries. It was coming from everywhere.”

Intra-Corporate Collaboration

After Akamai noticed one of the Android-based DDoS attacks, the company began working with researchers from several tech companies, including Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, and Team Cymru. The collaboration between these occasionally competitive organizations signals a new era in malware management, according to tech security journalist Brian Krebs; one brought about due to a similar attack by the Mirai worm launched from IoT devices last year.

“Experts involved in the takedown warn that WiredX marks the emergence of a new class of attack tools that are more challenging to defend against and thus require broader industry cooperation to defeat,” Krebbs writes on his blog.

“When those really large Mirai DDoS botnets started showing up and taking down massive pieces of Internet infrastructure, that caused massive interruptions in service for people that normally don’t deal with DDoS attacks,” Allison Nixon, director of security research at New York City-based security firm Flashpoint told Krebbs. “It sparked a lot of collaboration. Different players in the industry started to take notice, and a bunch of us realized that we needed to deal with this thing because if we didn’t it would just keep getting bigger and rampaging around.”

Continued Vulnerability

The WiredX episode is just the latest in a series of security snafus that have plagued Google in recent months. Earlier this month, the company discovered several apps contained hidden surveillance software, and just last week researchers found a banking malware hiding amongst several gaming apps. Because of the Android OS relies on an open source platform, experts warn more malicious apps will likely appear.  As always, when it comes to the security of your connected devices, the best defense involves awareness of potential vulnerabilities as well as proactive safeguards.

“With all these apps sneaking into Play, it’s up to you to protect yourself and your Android device,” warns Gizmodo’s Kate Conger. “If you’re ever in doubt about whether an app is safe, do some research on the developer and check out what permissions the app wants on your phone.”