Android devices used for DDoS attack through WireX botnet targeting CDNs

A team of researchers from several top tech firms has written a post to share information about the cyber attacks from a botnet that affected a number of apps on Google Play Store this month. The team also wished to know what is being done to curb further ambushes by cybercriminals. [caption id=“attachment_3988473” align=“alignleft” width=“380”]  Image: Uncalno Tekno[/caption] According to the post published by Cloud delivery firm **Akamai** late on Monday, multiple Content Delivery Networks (CDNs) and content providers were subjected to significant attacks from a botnet dubbed ‘WireX’ on 17 August. A **botnet** is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge. The ‘WireX’ botnet comprises primarily Android devices running malicious applications and is designed to create a denial-of-service (DDoS) attack – that occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. The botnet is often associated with ransom notes to targets. Google was alerted about the presence of this malware on Play Store, researchers from Akamai, Cloudflare, Flashpoint, Oracle Dyn, RiskIQ, and other organisations who cooperated to combat this botnet, researchers wrote in the post. Shortly following the notification, Google removed hundreds of affected applications and started the process to remove the applications from all devices.  “We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” Google said in a statement. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere,” the statement added. The first available indicators of the WireX botnet appeared on August 2 as minor attacks that went unnoticed at that time. These initial attacks were minimal and suggested that the malware was in development or in the early stages of deployment. Prolonged attacks were identified starting from August 15, with some events sourced from a minimum of 70,000 concurrent IP addresses. Analysis of the incoming attack data for the August 17 attack revealed that devices from more than 100 countries participated, an uncharacteristic trait for current botnets. The investigation later revealed a connection between the attacking IPs and something malicious, running on top of the Android operating system. According to Jared Mauch, Senior Network Architect and Security Researcher, Akamai, the only way to be safe is by truly understanding what is happening on the internet. “Trusted information sharing groups are one of the best ways to foster that understanding. In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner,” Mauch said. “Working together to fight these threats benefits not only our collective customers, but also Internet users as a whole,” Mauch added. Last week, Akamai published a report in which India ranked eighth among countries most frequently targeted for web application attacks and stood fifth on the list of source countries, with close to 12 million attacks sourced from the country. The report said that there has been a 28 per cent year-over-year (YoY) increase in total DDoS attacks globally in the second quarter of 2017. Though the frequency of DDoS attacks increased, the number of IP addresses involved in volumetric DDoS attacks dropped 98 per cent from 595,000 to 11,000 indicating the use of fewer devices to launch such attacks.