A coalition of tech firms has taken down the WireX botnet, a malware network run predominantly off Android phones running subverted apps.
The botnet first popped up on security researchers' radars on August 2 in a small way, and within weeks the number of infected nodes had reached the tens of thousands. It appears that the botnet's infection software was being hosted in Google's own Play Store, hidden in seemingly innocuous apps like media players and ringtones.
"We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we're in the process of removing them from all affected devices," Google said in a statement. "The researchers' findings, combined with our own analysis, have enabled us to better protect Android users everywhere."
Estimates of the total botnet's size vary, because infected nodes only ping in when the phone they are on is active – but it's thought to be in the low six figures. The botnet was used to launch distributed denial of service attacks by spamming out HTTP GET requests until website connections crumbled under the load.
By August 17 the botnet had grown and spread over users in 100 countries, and the DDoS attacks were getting serious. Researchers found the rogue code and determined that it was possibly advertising click-fraud software that had been repurposed for DDoS attacks.
Infected apps were still running the advertised functions as normal, but were hiding other system processes under names like Device Analysis, Data Storage and Package Manager. The Android store has now been cleaned up and the researchers say the attack vector has been patched by Google.
Different pieces of the puzzle
"These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms," Akamai said in a blog post. "Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery."
The case also highlights yet another failure of Google's Bouncer machine learning system, which is supposed to find and block malware-laden apps from the Play Store. While third-party Android app stores are routinely packed with infected apps, Bouncer has been touted by the Chocolate Factory as a way to ensure that its Play Store is clean.
But as we've seen with depressing regularity, Bouncer has been opening the door to many apps that have it fooled. It's likely that developers are using the Bouncer system as a method to check new ways of hiding malware in normal-looking apps and refining their techniques to beat the system.
While malware does occasionally make its way into the Apple App Store, it's relatively rare. That Google, with all its resources, can't do the same isn't very impressive and will only help the popularity of iOS. ®