ESET Security researcher found DDOS Attacks Through Malicious Android App.
Some of the Cyber threat actors was targeting ESET’s website, after that the company security researchers were able to identify the malicious app, and report to Google. Google has been removed it from the Play Store.
The malicious app called “Updates for Android”, it was active to the Play store since 9 September 2019. Also it promoted to Malwaretising.
The app reached over 50,000 installs; we don’t know how many instances of the app were installed after the update or were updated to the malicious version.
The malicious android app has a corresponding website, i-updater[.]com, that promotes itself as “daily news updates”. (The website is still live; there are no grounds for any takedown effort as the website itself is not malicious.)
To avoid suspicion, the app displays some news; however, its main functionality is to receive commands from a pre-defined website that serves as the Command and Control server (C&C). The malware pings the C&C every 150 minutes and provides its device ID – a measure that allows for each device being controlled individually.
The DDoS attack starts with the compromised device receiving a command to load the attacker’s script that specifies the targeted domain. Once the script is loaded, the device starts making requests to the targeted domain until it is served with another script by the C&C server which may contain a different target domain.
Lukas said, since we started to monitor the website providing C&C functionality to the botnet, we witnessed another six scripts being served, each containing a different domain for the captive devices to attack.
Those were notable news and ecommerce sites, most of them in Turkey. Since February 2, the script is empty, meaning the attackers tried to serve their botnet until two days after Google put the end to (most of) it, Lukas added.
Indicators of Compromise (IoCs)
Package name: com.world.hello.myapplication
Finally, the Google has removed the malicious app from the Android Play Store.