Probably never was there a DDos botnet(Distribute Denial of service) on Android which was quite successful in controlling over 10 thousand mobile devices and use them to perform massive cyber attacks. Tools involved on these attacks are of new class.
Play store application which perform their usual job are tag teamed with malwares which wait for their control server to command. The command includes details on which websites to attach and when. The attack can be initiated from app on phone even when the phone is locked.
Google has deleted 300 apps from its play store which might have been created for a sole reason, which is to be the first Android botnets. Nearly 70,000 devices were involved in attack, and the DDos requests were initiated from more than 100 different countries.
Wirex surfaced for the first time on Aug 2, 2017, but it was centered in limelight on Aug 17 2017. This attack resembles to an previous attack from yester-year, MIRAI. But MIRAI is not sophisticated as WireX. Antivirus companies are considering WireX as a click fraud malware type.
The origin of WireX is assumed to be from Click fraud. Click fraud is a fraud that happens in area of pay-per-click online advertising. One can perform fraud in it by creating an automated program fakes the an entire process of many genuine users using web browsers to click the ads, which in fact would generate the revenue for promoter. Though DDos botnets are extremely rare to be active on Android devices, these botnets makes sure to cover up that the actions are legitimate from web browsers.
Wirex has a “headless” browser which can perform all the actions a minimal browser can do, all the time without displaying on screen. WireX is also capable of encrypting the attack traffic as SSL which is the same security technology web browser use on Android devices to visit webpage which also submits sensitive information. In here defenders have to decrypt incoming data before categorizing whether it’s part of a malicious attack.
The silver lining in this event was that many security agencies shared information they unveiled and it was a team effort in bringing the attack down. The companies involved in the takedown are Cloudflare, Akamai, Flashpoint, Google, Oracle-owned Dyn, RiskIQ, and Team Cymru.
The malicious apps which carry along the WireX are identified as “Android Clicker” by antivirus software. These android clicker are similar to click fraud.
We can be happy now that Google is removing these identified 300 apps and hopefully more will be if identified, anyways as usual be cautious of what you install.