Google removes 300 apps from Play Store that were part of Android botnet

Google has removed about 300 apps from the Play Store after it was found to be part of an Android botnet. This was revealed by a joint investigation by various security and internet companies, who discovered the so-called WireX botnet.

The companies, including Akamai, Cloudflare, Flashpoint and RiskIQ, jointly presented the results of the study. They write that on August 17, several CDNs were targeted by a DDOs attack, drawing attention to the botnet responsible. It turned out that the botnet may have been active since August 2, but that the attacks were too small to detect. That would be an indication that the malware in question was still in development at the time.

The discovery came as the companies searched for the text that appeared in the user agent in their log files. It consisted of a random sequence of lowercase letters. The search eventually led the companies to an Android application, after which the binaries could be examined. It turned out that a small portion of the apps could be found in mobile device stores, including the Play Store.

For example, it involved seemingly legitimate apps for playing media, setting ringtones or managing storage. After installation, the apps connected to a central c2 server, which provided them with attack commands that could target a specific target. That was also possible if the app was only running in the background. After the companies notified Google, the company was able to remove the apps from the Play Store and from devices. It is therefore no longer possible to install the apps, according to companies.

A DDOs attack on Aug. 15 involved about 70,000 different devices, the companies said. Akamai reports to investigative journalist Brian Krebs that attacks identified between 130,000 and 160,000 unique IP addresses and that the earlier number is a conservative estimate. The August 17 attack involved IP addresses from more than 100 countries. The botnet mainly used GET requests as its attack method, other variants used POST.

The companies write that their collaboration stemmed from the time when the Mirai botnet was carrying out major DDOs attacks. This happened, for example, on dns provider Dyn, but also on Brian Krebs’ site. At the time, it appeared that more cooperation was needed to repel such attacks.