IT Security Vendors Successfully neutralized Deadly WireX Android Botnet through Collaboration – Google Removes Malicious Infected Apps from Play Store.

Attacks like those launched through Mirai botnet in 2016 or WannaCry and NotPetya in 2017 had a global impact. Unsurprisingly, a whopping number of organizations were affected, and security experts were criticized left, right and center. This is what compelled tech firms in initiating an informal collaborative research on finding out ways to neutralize another major bot called WireX.

The firms that united against WireX included Akamai, FlashPoint, RiskIQ, and CloudFlare. Security researchers and experts from these firms collaborated and published a series of blogs to explain how they and researchers from other organizations including Google identified, studied and eventually neutralized WireX.

It must be noted that it wasn’t a takedown attempt but a neutralizing effort that resulted in isolating the guidelines that could stop the abnormal GET and POST traffic. Google was also roped in to detect and delete the apps from the Play Store and disinfect all the affected devices.

WireX was used for the first time on 2nd August, but it failed to create much havoc since the attacks were low scale, which is probably because the malware at that time was in its developmental stages. However, it resurfaced once again about two weeks back, and it wasn’t possible to ignore it this time around.

From August 15th, explained the experts, the attacks intensified and became prolonged with some being sourced from at least 70,000 synchronized IP addresses resulting in shutting down of various high-profile websites from the hospitality sector. The attacks became more and more volumetric with the passage of time. These attacked the application layer by sending legitimate looking web traffic that was HTTP GET requests. At this stage, a number of cyber-security experts detected the attacks and the collaborative effort was planned and organized.

The initial investigation involved researching upon historic log information. It revealed that there was a direct link between the attacking IP addresses and a malicious program, which quite possibly was “running on top of the Android operating system.” Logs from August 17 onwards depicted involvement of an Android app, which was searched using wide-range of variations in the name and parameters of the app bundle. Researchers came to know that multiple other apps (about 300 apps) were available from the same name, identical description and by the same authors. These were harmless looking apps with somewhat benign functions.

A majority of these malicious apps were media or video players storage managers and ringtone apps, etc., but these contained “additional hidden features” that users aren’t aware of and the malware “stayed alive and active in the background.” The affected devices were apparently in large number since the attacks were launched from over a hundred different countries, which meant that the malicious app was distributed globally.

[fullsquaread][/fullsquaread]

Once the infected apps were identified, Google not only blocked the 300 malicious apps from its Play Store but also is currently in the process of deleting them from all the affected devices. “The researchers’ findings, combined with our analysis, have enabled us to protect Android users better, everywhere,” stated Google.

Currently, available anti-malware tools identified the malware hidden in the apps as “Android Clicker.” The app started as a click fraud malware but was later used as a distributed denial-of-service (DDoS) tool. This sort of collaboration between experts from tech firms, however, is a novel step and an exciting new phenomenon. As stated by Flashpoint’s security research director Allison Nixon:

“This research is exciting because it’s a case study in just how effective collaboration across the industry is. This was more than just a malware analysis report. The working group was able to connect the dots from the victim to the attacker. The group also used the information to better mitigate the attack and dismantle the botnet — and this was completed very quickly.”

While security researcher and senior network architect at Akamai, Jared Mauch, noted that in case of WireX the team was able to “fully uncover” the functioning of this malicious software through quick information sharing and collaborative research between the experts.

CloudFlare CEO Matthew Prince was feeling proud of the research as well as the team’s effort involved in rapid investigation and mitigation of this “dangerous discovery.”

RiskIQ’s threat researcher Darren Spruell claims that the operation of WireX shows the “value of collaborative response from security firms, service providers, and law enforcement.”