A collaborative front of tech companies and researchers coordinated to slow the WireX botnet, several companies announced Monday.
Botnets are networks of hacked computers often used to launch attacks on third parties. By coordinating systems to simultaneously contact the same server at the same time, a botnet can overwhelm a target with traffic in what’s known as a distributed denial of service (DDoS) attack, which can make websites unreachable until the attack subsides.
Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others coordinated on thwarting the WireX botnet, which affected Android devices
WireX used roughly 300 malicious apps available in the Google Play store to infect its victims, ultimately taking over systems in than 100 different countries — a quantity the joint write-up of the operation described as “an uncharacteristic trait for current botnets.”
Google has removed the 300 apps from its store and is uninstalling them from devices.
The companies became aware of WireX on Aug. 17 when many of the companies involved in the research noted attacks against their clients. Companies like Akamai and Cloudflare offer protection against DDoS attacks. Further research showed attacks dated back until at least Aug. 5.
At its height, WireX used devices at around 120,000 unique internet addresses each hour in its attacks.
The fake apps included “media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected.”
Researchers believe that the main structure of the malware used in WireX may have been originally intended for advertising fraud — certain antivirus programs recognize the malware as the click fraud program “Android Clicker,” despite its being repurposed for DDoS attacks.