Google Removes Malicious WireX DDoS Botnet Apps from Play Store

Google removes over 300 Android apps from the Play Store that were secretly being used to launch WireX DDoS attacks.


On Aug. 28 a group of security vendors jointly revealed that they worked together to help identify and disrupt the operations of a mobile Android device botnet known as WireX. The botnet made use of malware infected apps that Google has now removed from the Play store, to launch Distributed Denial of Service (DDoS) attacks.

Among the multiple security vendors that collaborated in the WireX disruption effort were Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru. The joint research effort determined that the WireX botnet may have been active as early as Aug. 2 although it's activity flare up until Aug.17 when multiple Content Delivery Networks (CDNs) were hit by a large wave of WireX DDoS attack traffic. According to the security researchers, a minimum of 70,000 IP addresses were involved in the WireX attacks.

"WireX is a volumetric DDoS attack at the application layer," the researchers wrote in a joint analysis. "In other words, the botnet produces traffic resembling valid requests from generic HTTP clients and web browsers."

Tim April, Senior Security Architect at Akamai said that while WireX traffic peaked on Aug.17 there was a series of attacks that lasted for days across a set of customers in the same vertical. 

"During this series of attacks, the application layer request rate was near 20,000 requests per second," April told eWEEK

April added that it is important to note that the bits per second (bps) measurements for this type of attack are not nearly as important as they are for attacks like SYN floods or DNS spoofing. He said that the WireX DDoS attacks aim to exhaust system resources rather than network bandwidth.  Additionally he noted that a handful of Cloudflare's customers have been attacked in the days since Aug. 17 with similar attack characteristics.

There are several things that make the WireX DDoS botnet somewhat unique, including the fact that it was comprised of mobile devices on a cell network.

"Mobile devices will routinely change IP address as they move from cell tower to cell tower and this aspect makes estimating the size of a botnet uniquely challenging,"  Justin Paine, Head Of Trust and Safety at Cloudflare told eWEEK.

WireX is also somewhat different than the Mirai Internet of Things (IoT) botnet that first emerged at the end of 2016. With Mirai, embedded devices with default credentials were compromised to become part of the botnet that flooded targets with volumetric attack traffic. Allison Nixon, Director of Security Research at Flashpoint commented that the WireX botnet is different from Mirai and the other IoT botnets because the low end embedded Linux systems affected by that type of malware often don't even have support for any of the encryption software required to make HTTPS requests. 

"As a result the vast majority of IoT attacks are dumb volumetric junk traffic, rather than the more complex and resource consuming HTTPS floods," Nixon told eWEEK

The WireX botnet was built using multiple techniques, including malware infected Android apps, which Google has now removed from its Play mobile app store. April noted that the group of security vendors are also working with law enforcement to further disrupt the operations of the botnet and its operators. 

"Like other developments in botnets, this is not the first, nor will it be the last botnet like this," April said. "We hope that with further collaboration this botnet will be disbanded but it is likely that another botnet will appear later on."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.