New malware is targeting Android devices, which then end up used as part of the WireX botnet to launch distributed denial of service (DDoS) attacks, researchers said.
The malware ended up discovered by Akamai when the company was investigating an attack launched against a client in mid-August.
The company found signs of DDoS attacks based on the Android malware infection. The infection, however, was only in its early stages at that point, so in a classic botnet procedure the malware only became more prominent when the number of targets increased and more devices ended up compromised.
Malware used to infect Android devices has been injected into various apps from popular categories, including video players, ringtone tools, and resource managers. Once infected, a device ends up used to generate traffic and contribute to a larger scale DDoS attack as part of the WireX botnet.
The research revealed approximately 70,000 unique IPs were used for the attacks, and experts believe that nearly 100,000 devices ended up compromised.
The malware compromises the device in the traditional way, as it queries a command and control server and waits for attack commands.
“The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them. These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use,” researchers said in a blog post. “Antivirus scanners currently recognize this malware as the “Android Clicker” Trojan, but this campaign’s purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS.”
Google has already removed the infected apps from the Play Store, but now individual users need to remove the malware from their devices as nearly 100,000 devices are believed to be infected.