WireX botnet offers glimpse of Android DDoS threat

A consortium of internet companies has disrupted a botnet called WireX that has plagued Content Delivery Networks (CDNs) with nuisance DDoS attacks in recent weeks.

There’s nothing special about DDoS attacks or botnets but we’re writing up WireX for several reasons, starting with the fact it was built from infected Android devices.

Given that researchers believe it might have infected 140,000 devices in 100 countries by its peak on August 17, that’s a big DDoS botnet by Android standards, perhaps the biggest ever.

The source of infection was any one of 300 apps downloaded from the Google Play Store that had somehow sneaked past the store’s much vaunted security algorithms.

Despite what Google says, it’s perfectly possible to do this, as demonstrated by a separate incident this month when 500 applications (with 100 million downloads) were yanked after a mobile security company discovered an embedded advertising SDK was being used to update them with spyware.

The WireX-infected apps, by contrast, hid their malevolent behaviour behind ordinary-looking media players, ringtones and storage managers. Designed to launch DDoS attacks in the background (in other words, when the device is turned on but not in use), it’s possible owners would have been unaware of anything untoward.

The companies believe it sprang into life around August 2, growing rapidly to its peak in the middle of the month when they decided to collaborate to track down what was behind this sudden DDoS spike.

It’s not clear whether it was the size of the attacks that caught their attention or the unusual way traffic from it was distributed across many countries. That WireX appeared suddenly would have stood out.

Probably built on the skeleton of an old click-fraud app, WireX isn’t even that sophisticated, relying on throwing lots of HTTP traffic at target websites until they choke.

It’s a simple tactic but also clever because the traffic looks legitimate. This makes it tricky to stop without taking servers offline, which is why researchers pooled resources to root out the botnet’s infected clients the hard way.

WireX did, at least, bring everyone together in a matter of days. Said participant Akamai:

In the wake of the Mirai attacks, information sharing groups have seen a resurgence, where researchers share situation reports and, when necessary, collaborate to solve internet-wide problems.

This would have meant sharing competitive data such as IP addresses, request headers and, in WireX’s case, DDoS ransom notes sent to CDNs. Privacy concerns mean that doing this isn’t always as simple as it might seem from the outside.

Which devices are vulnerable?

Given that infected apps were downloaded from the Play Store (their names haven’t been revealed), any version of Android they were compatible with could have been targeted. Devices running Android security software such as Sophos Mobile Security for Android will detect WireX, with some identifying it as generic click fraud malware.

Command and control domains are identified in the WireX advisory, published by researchers. It’s possible that a temporary defence against WireX would be to set “restrict background data”.

Researchers from SophosLabs’ Android team say customers are protected against this threat.