Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tech Firms Team Up To Take Down 'WireX' Android DDoS Botnet (krebsonsecurity.com)

Posted by BeauHD on from the cease-and-desist dept.

An anonymous reader quotes a report from Krebs On Security: A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle "WireX," an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more challenging to defend against and thus require broader industry cooperation to defeat. News of WireX's emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices was first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands. Experts tracking the attacks soon zeroed in on the malware that powers WireX: Approximately 300 different mobile apps scattered across Google's Play store that were mimicking seemingly innocuous programs, including video players, ringtones or simple tools such as file managers.

Experts involved in the takedown say it's not clear exactly how many Android devices may have been infected with WireX, in part because only a fraction of the overall infected systems were able to attack a target at any given time. Devices that were powered off would not attack, but those that were turned on with the device's screen locked could still carry on attacks in the background, they found. The identical press release that Akamai and other firms involved in the WireX takedown agreed to publish says the botnet infected a minimum of 70,000 Android systems, but Seaman says that figure is conservative.

29 comments

  1. Once again a bullshit story by Anonymous Coward · · Score: 0

    Name the fucking apps or GTFO!

    1. Re:Once again a bullshit story by EndlessNameless · · Score: 2

      When apps are compromised, Google (and Apple) pull them from the app store and revoke them from user devices. The names don't matter because they're long gone by now.

      Per the original article, most of the apps were compromised because a framework that they used was backdoored. This means that it was not malicious intent by the developers, so there is no point in starting a witch hunt against them directly. Hopefully, Google and the affected developers will respond intelligently to this threat vector.

      And once again, the most basic security principle applies: only install what you absolutely need. Every bit of code carries a risk.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:Once again a bullshit story by Anonymous Coward · · Score: 0

      We need and we should demand the names so we can uninstall them. Without the names the whole story is bullshit, a whitewash. The only reason they don't give them out is to protect the big players. Cut them no slack! Show them no mercy! We must stand up and fight back! When we don't, we get whatever misfortune we deserve.. So, fuck everybody! Cough up the names!

    3. Re:Once again a bullshit story by Anonymous Coward · · Score: 0

      We need and we should demand the names so we can uninstall them

      Fucking loud-mouthed idiot.

      Google nukes the apps remotely. You don't need to do anything. They probably got nuked before the story was even published.

  2. Fuck the Tech Industry by Anonymous Coward · · Score: 0

    Death to Billionaires

    Give us our Basic Income

    1. Re:Fuck the Tech Industry by DontBeAMoran · · Score: 3, Funny

      Fuck what this AC just said.

      Give us our Turbo-Pascal Income.

      --
      #DeleteFacebook
    2. Re:Fuck the Tech Industry by mschwanke97402 · · Score: 1

      Fuck what this AC just said.

      Give us our Turbo-Pascal Income.

      Oh, choice, I’d plus you up, if I had any to give.

    3. Re: Fuck the Tech Industry by Anonymous Coward · · Score: 0

      Give us PYTHON income!

  3. Yeah but when does Trump go to prison? by Anonymous Coward · · Score: 0

    The question everyone is asking. #Mueller is hunting.

  4. cross-industry collaboration? by Anonymous Coward · · Score: 0

    I still don't see why they don't release the names of the compromised apps. I now trust the app store less. Guess I should have never trusted it in the first place.

    1. Re:cross-industry collaboration? by Anonymous Coward · · Score: 0

      Cross-industry collaboration is collusion in violation of your right to run malware.

  5. No MAGA, Impeach by Anonymous Coward · · Score: 2, Funny

    Trump lied! America isn't great again!

  6. Android is a terrible nightmare. by Anonymous Coward · · Score: 0

    Can't wake up!

  7. How's that workin' out for ya? by Anonymous Coward · · Score: 0

    You know, that Android advantage of unrestricted background execution... Yeah, yeah, they fixed it in Oreo, which is on all of 600 devices at this point.

  8. Nothing NEW to See Here by mschwanke97402 · · Score: 1

    Another day, another Android security mess. Oh, and look, it comes straight from the Google Play store, again.

    1. Re:Nothing NEW to See Here by Anonymous Coward · · Score: 1

      To be fair, this doesn't seem to be an Android exploit as much as malware hidden in the lgexin library. Malware which probably looks to the system like an app just sending out lots of data -- nothing that compromises the device itself (except maybe some battery life). It's something better suited for an antivirus app to find*.

      It seems unfair to me to act as though it's the OS itself with the issue. I'd say Android actually has a lot of good security hardening measures in it as of 7.0: https://source.android.com/security/enhancements/enhancements70

      * Though, to me, I hate the idea of some antivirus app bogging down my smartphone.

    2. Re:Nothing NEW to See Here by Anonymous Coward · · Score: 0

      My last Android security patch from wonderful Moto was 1st quarter of 2016. Do I need to be concerned?

  9. GOOGLE IS NOT HELPING by Anonymous Coward · · Score: 0

    1. Google identified approximately 300 apps associated with the issue, but they have NOT made that list available to users.

    2. Not only has Google blocked these apps from the Play Store, but they’re in the process of removing them from all affected devices with NO user notification. This is despite the fact that they have the email address of the user.

    3. They clearly want to be seen as a savior, but in fact, they have caused the problem by failing to exercise control over the companies that use Android and the Android name.

    4. These idiots are worse than Microsoft ever was. There is no attempt at a solution here - just a stopgap action. No matter what you think of Apple, they would never let this kind of nightmare go unchecked.

  10. Android Treble may finally help... by ttsiod · · Score: 1
    Android is currently more or less a disaster in terms of updates and security fixes. To people used to "apt-get upgrade" and "unattended-upgrades", the situation is laughable - you buy a phone and you know from the start you will get (maybe) one update to the next version of the OS - if you're lucky. After that, you're left in eternal limbo - an easy target for exploits and all sorts of malware.

    Android Treble may finally help with this disaster - but for now, those of you that can, should try LineageOS.

  11. 70,000 by Anonymous Coward · · Score: 0, Interesting

    That isn't even a minor botnet. That's a half-arsed hobby project. And this requires an unprecedented press release? Methinks a minor threat is being leveraged for some wider purpose.

  12. Re:a real man of god by Anonymous Coward · · Score: 0

    Your prophet is a registered sex offender in both Vietnam and Thailand. Just so you know.

  13. VERY easy to stall it via hosts files... apk by Anonymous Coward · · Score: 0

    See subject & these domains to block out in hosts files:

    0.0.0.0 u.axclick.store
    0.0.0.0 g.axclick.store
    0.0.0.0 p.axclick.store
    0.0.0.0 axclick.store
    0.0.0.0 com.luckybooster.app
    0.0.0.0 luckybooster.app

    * Per https://blog.cloudflare.com/the-wirex-botnet/

    APK

    P.S.=> Of course, nothing builds a custom hosts file for more speed, security, reliability & anonymity online better than APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

    1. Re:VERY easy to stall it via hosts files... apk by Anonymous Coward · · Score: 0

      Thanks but I am not on Android. Also, I don't think you can modify and tinker your Android /etc/hosts file. Your above hosts trick must be done at the router level to work.

    2. Re:VERY easy to stall it via hosts files... apk by Anonymous Coward · · Score: 0

      Too bad for you. I don't need a router. Hosts works fine on droidphones or a PC OS's as hosts are std. on most IP stacks based on BSD original design.

  14. WhatsApp by Anonymous Coward · · Score: 0

    Before WhatsApp was devoured by a giant tech firm, it was also accessing your address book. I uninstalled it after reading the Privacy Policy. Don't know about its current tactic now though.

  15. Yes you can on Android (ADB pull command) by Anonymous Coward · · Score: 0

    See subject: You need a rooted phone & Android Debugging Bridge's PULL command to import & overwrite the existing one.

    * Plus, what happens to you IF you need to hookup with a router that does NOT have the blocking list? You're "SOL" depending on routers - I'm not using hosts.

    (It's ALWAYS there locally on the device itself & it's a standard part of any BSD based IP stack (most if not ALL currently are)).

    APK

    P.S.=> Those ARE the facts... apk