Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Botnet Uses Twitter for Receiving Commands

A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.

A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.

Dubbed Android/Twitoor, the malware was designed to download other malicious applications onto the infected devices and has been active for around a month, researchers say. Fortunately, the threat isn’t spreading through official Android storefronts, but through SMS or malicious URLs sent to its victims.

According to ESET researchers, the backdoor is impersonating a porn player application or MMS program, but it does not present the functionality such software would normally have. After being launched, the malware hides its presence on the infected device and starts checking a defined Twitter account at regular intervals for commands.

Depending on the commands it receives, the backdoor can either download malicious applications onto the compromised device or can switch to a different C&C Twitter account, researchers discovered.

“Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” Lukáš Štefanko, ESET’s malware researcher who discovered the malicious app, says.

ESET explains that malware that turns devices into botnets requires communication with a C&C server to receive updated instructions, and that this communication could raise suspicion from users. Moreover, they explain that, when these servers are seized, they tend to disclose information about the entire botnet.

To ensure that Twitoor botnet’s communication is more resilient, the malware authors decided to encrypt the transmitted messages. They also used complex topologies of the C&C network and new communication methods, such as social networks.

“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” explains Štefanko.

The researcher also explains that Twitoor is the first Twitter-based bot malware for Android, although other bots have been found to use non-traditional means as blogs or cloud messaging systems for control. However, Twitter has been used to control botnets for Windows before, as early as in 2009, Štefanko also says. In 2012, attackers programmed the Flashback Trojan targeting Macs to use Twitter as a command and control mechanism.

Other social networks, including Facebook and LinkedIn, are also expected to be leveraged for similar nefarious purposes. At the moment, Twitoor has been used to download mobile banking malware onto the infected devices, but it might not be long before its operators switch to other types of malware, such as ransomware, ESET’s researcher notes.

To stay protected, users should be cautious when opening URLs they receive from untrusted sources. They should also make sure their device’s operating system and applications, including a security software, are kept updated at all times.

Related: Android Trojan Downloaded Over 2.8 Million Times via Google Play

Related: Android Malware Gang Makes $10,000 a Day: Report

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.