DDoS attacks blamed on 70,000-strong Android botnet

Security researchers discover Mirai-style 'WireX' botnet


A vast botnet comprised of 70,000 Android devices has been blamed by security researchers for a string of DDoS attacks conducted over the past few weeks.

Experts from cyber security organisations including RiskIQ, Flashpoint, Akamai, Cloudflare, Team Cymru, Oracle Dyn, Google and others joined forces to combat the botnet, dubbed WireX.

Similar to the Mirai attacks of last year, WireX used a network of malware-infected devices to flood targets with legitimate-looking HTTP requests, knocking them offline through the sheer volume of traffic.

Rather than IoT and networking devices, however, this attack was carried out using compromised Android phones. Researchers estimated that the botnet contained at least 70,000 devices in over 100 countries, although senior Akamai engineer Chad Seaman told security expert Brian Krebs that the figure could be much higher.

While researchers estimate that WireX could have been active from 2 August, the bulk of attacks did not start until 15 August, catching the attention of the security community a couple of days later on 17 August.

Advertisement - Article continues below
Advertisement - Article continues below

"These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms," said a joint blog post published by Akamai, Flashpoint, Cloudflare and RiskIQ. "Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery."

The researchers warned that keeping a DDoS attack quiet is almost impossible, and said victims should reach out for help rather than trying to pretend that everything is running smoothly.

"The best thing that organisations can do when under a DDoS attack is to share detailed metrics related to the attack," the blog post noted. "With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible."

According to the post-mortem report issued by the security companies involved, the malware masqueraded as seemingly-legitimate apps, including storage managers, ringtone apps and video players.

Many were downloadable only from third-party app stores, but roughly 300 of the malicious apps were hosted on the Google Play Store. Google has now removed these apps from its store, and is in the process of remotely wiping them from users' devices.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020