Last week, Google was forced to remove around 300 Android apps from its Google Play Store which were managed to affect tens of thousands of Android phones from more than 100 countries. It was found that those apps contained an embedded malware and were part of WireX Distributed Denial-of-Service (DDoS) botnet, this botnet thrives on infected user devices with an application running in the background.
WireX was first noticed by the cloud services provider Akamai on August 17, when it saw few attacks were carried out from 70,000 different IP addresses from all around the world on the big websites from the hospitality industry.
According to the report by Kerbsonsecurity , experts from the several tech firms have teamed up to take down this ‘WireX’ Android DDoS botnet. And they have observed that the ‘WireX’ botnet is more challenging to defend against and thus require broader industry cooperation to defeat.
(This graph shows the rapid growth of the WireX botnet in the first three weeks of August 2017)
After researching on the WireX together, they have noticed that the WireX DDoS malware is still out there in the smartphones which have been infected before and it’s using HTTP flood techniques to launch DDoS attacks.
But recently, it was found that the malware is now upgraded with the capabilities of launching User Datagram Protocol (UDP) flood attacks as well, a type of DoS attack which targets random ports on a victim host with a large amount of UDP packets. The experts also analyzed – a bot making use of the malware which contained 50 threads, each of which is able to send upto 10 million UDP packets of 512 bytes in size.
They have also noticed that the attack execution technique of ‘WireX’ is different from most of the DDoS malware types. There are usually two concurrent processes for the execution: One is to instruct the Command and Control (CnC) server for issuing commands and another is to execute the packet-flooding in a loop, which requires an instruction to stop the execution. In the case of WireX, it was observed that the process of execution doesn’t require any instruction to stop. The loop of flooding packets continuously goes on until it itself instructs the CnC to stop.
After the findings, it seemed like the WireX malware is still in its QA. Don’t worry we’ll expect to see many different variants of it in the near future as the attackers are always lurking behind to disrupt new technologies.
To check whether your Android device is infected or not, check for the apps that are running in the background. If you see any app that was not installed or given permission by you, try to kill that process or uninstall it. It is recommended that if you are trying to install any app on your device, always check for the permissions it asks. If you doubt that the app is looking fishy, simply avoid installing it.