DDoS attacks blamed on 70,000-strong Android botnet

Security researchers discover Mirai-style 'WireX' botnet


A vast botnet comprised of 70,000 Android devices has been blamed by security researchers for a string of DDoS attacks conducted over the past few weeks.

Experts from cyber security organisations including RiskIQ, Flashpoint, Akamai, Cloudflare, Team Cymru, Oracle Dyn, Google and others joined forces to combat the botnet, dubbed WireX.

Similar to the Mirai attacks of last year, WireX used a network of malware-infected devices to flood targets with legitimate-looking HTTP requests, knocking them offline through the sheer volume of traffic.

Rather than IoT and networking devices, however, this attack was carried out using compromised Android phones. Researchers estimated that the botnet contained at least 70,000 devices in over 100 countries, although senior Akamai engineer Chad Seaman told security expert Brian Krebs that the figure could be much higher.

While researchers estimate that WireX could have been active from 2 August, the bulk of attacks did not start until 15 August, catching the attention of the security community a couple of days later on 17 August.

Advertisement - Article continues below

"These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms," said a joint blog post published by Akamai, Flashpoint, Cloudflare and RiskIQ. "Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery."

The researchers warned that keeping a DDoS attack quiet is almost impossible, and said victims should reach out for help rather than trying to pretend that everything is running smoothly.

"The best thing that organisations can do when under a DDoS attack is to share detailed metrics related to the attack," the blog post noted. "With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible."

According to the post-mortem report issued by the security companies involved, the malware masqueraded as seemingly-legitimate apps, including storage managers, ringtone apps and video players.

Many were downloadable only from third-party app stores, but roughly 300 of the malicious apps were hosted on the Google Play Store. Google has now removed these apps from its store, and is in the process of remotely wiping them from users' devices.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Best antivirus for Windows 10

3 Sep 2019

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019