Connect with us

Hi, what are you looking for?



Report Reveals Emerging Trend in Android Botnet Infections

Statistics show an increase in Android devices infected with crimeware that is actively communicating with multiple criminal C&C servers

Google Android devices are being caught in a Web of botnet activity at an unprecedented rate, according to new research by security firm Damballa.

Statistics show an increase in Android devices infected with crimeware that is actively communicating with multiple criminal C&C servers

Google Android devices are being caught in a Web of botnet activity at an unprecedented rate, according to new research by security firm Damballa.

In its threat report for the first half of 2011, Damballa observed that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. While the figure is nowhere near the numbers of PCs under the control of cyber-criminals, it does represent a significant jump in malware targeting mobile phones.

Android Botnet InfectionsDuring weeks 10 and 11 of the year, a malware outbreak peaked at 20,000 devices but was quickly quashed – something the firm attributes to devices and applications being remotely wiped when malicious apps were identified.

“As predicted, 2011 is shaping up to be the year that mobile malware will begin to be an issue for consumers and enterprises alike in North America,” according to the report. “Other countries (China being a great case in point) have already had to deal with significant outbreaks of mobile device infections.”

“Many of these devices connect to the corporate WiFi when brought to work,” the report continues. “They come into the network infected, and traditional security systems designed to protect traditional computing assets will not detect these infected mobile devices.”

According to Damballa Vice President of Research Gunter Ollmann, the majority of the malware associated with this C&C activity is designed to initially steal data stored on the handset such as email account passwords and then to serve as a jump point to other networks. If the phone connects to a WiFi network for example, the remote attacker can launch new attacks from the compromised device and proxy commands to other infected devices, he told SecurityWeek via email.

But while threats against Android have gotten plenty of headlines of late, the threat of compromised PCs did not lessen during the first half of the year. As it turns out, the notorious SpyEye crimeware kit jumped from number 10 in 2010 to number one on the list of the largest botnets.

Advertisement. Scroll to continue reading.

“It’s not surprising to see “OneStreetTroop,” a botnet operation utilizing crimeware generated and managed by the popular SpyEye DIY (do-it-yourself) construction set, rise to prominence in the first half of 2011,” according to the report. “The developers behind the SpyEye Builder Kit acquired access to the Zeus Builder source code and have now combined the best of both crimeware development kits into a single commercial package. The malware is now more powerful and capable than ever. After the recent release of a ‘crack’ to version 1.3.45 of the SpyEye developer kit, as first reported by Damballa Labs, we expect to see widespread adoption of SpyEye in 2011 for the purposes of launching additional fraud campaigns.”

Not unexpectedly, the list also demonstrated the prevalence of do-it-yourself crimeware kits. Of the top 10 largest botnets, eight utilize well-known off-the-shelf construction kits, the firm noted.

“Criminal operators continue to hone their craft in 2011 using crimeware that can be repurposed for multiple fraud opportunities, sold or leased to other criminals, and that is now successfully infiltrating the mobile space,” Ollmann said in a prepared statement. “As the arms race rages on between the criminals, their increasingly federated crime-as-a-service ecosystem, and the security professionals tasked with combating them, it has become increasingly important that the defenders obtain advanced knowledge of the existence and behavior of new criminal operators and their network of infected assets.”

Related Reading: Rethinking Cybersecurity in a Mobile World

Related Reading: Got Android? Some Considerations on Permissions and Security

Suggested Reading: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Suggested Reading: Attacks on Mobile and Embedded Systems: Current Trends

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...