Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Botnet Uses Twitter for Receiving Commands

A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.

A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.

Dubbed Android/Twitoor, the malware was designed to download other malicious applications onto the infected devices and has been active for around a month, researchers say. Fortunately, the threat isn’t spreading through official Android storefronts, but through SMS or malicious URLs sent to its victims.

According to ESET researchers, the backdoor is impersonating a porn player application or MMS program, but it does not present the functionality such software would normally have. After being launched, the malware hides its presence on the infected device and starts checking a defined Twitter account at regular intervals for commands.

Depending on the commands it receives, the backdoor can either download malicious applications onto the compromised device or can switch to a different C&C Twitter account, researchers discovered.

“Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” Lukáš Štefanko, ESET’s malware researcher who discovered the malicious app, says.

ESET explains that malware that turns devices into botnets requires communication with a C&C server to receive updated instructions, and that this communication could raise suspicion from users. Moreover, they explain that, when these servers are seized, they tend to disclose information about the entire botnet.

To ensure that Twitoor botnet’s communication is more resilient, the malware authors decided to encrypt the transmitted messages. They also used complex topologies of the C&C network and new communication methods, such as social networks.

“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” explains Štefanko.

Advertisement. Scroll to continue reading.

The researcher also explains that Twitoor is the first Twitter-based bot malware for Android, although other bots have been found to use non-traditional means as blogs or cloud messaging systems for control. However, Twitter has been used to control botnets for Windows before, as early as in 2009, Štefanko also says. In 2012, attackers programmed the Flashback Trojan targeting Macs to use Twitter as a command and control mechanism.

Other social networks, including Facebook and LinkedIn, are also expected to be leveraged for similar nefarious purposes. At the moment, Twitoor has been used to download mobile banking malware onto the infected devices, but it might not be long before its operators switch to other types of malware, such as ransomware, ESET’s researcher notes.

To stay protected, users should be cautious when opening URLs they receive from untrusted sources. They should also make sure their device’s operating system and applications, including a security software, are kept updated at all times.

Related: Android Trojan Downloaded Over 2.8 Million Times via Google Play

Related: Android Malware Gang Makes $10,000 a Day: Report

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.