Connect with us

Hi, what are you looking for?


Mobile & Wireless

Tech Firms Unite to Neutralize WireX Android Botnet

Major New WireX Android Botnet Neutralized by Cross-Vendor Collaborative Research

Major New WireX Android Botnet Neutralized by Cross-Vendor Collaborative Research

Black clouds on the internet do sometimes have a silver lining. Global attacks such as those from Mirai last year and WannaCry/NotPetya this year have fomented informal collaborative global responses — one of which happened this month when multiple competitive vendors collaborated in the research and neutralization of a major new botnet called WireX.

The collaboration was informal. Security experts often move around the industry, but usually retain good relationships and continue those relationships. This happened with WireX. It first appeared on August 2nd, but was small enough to be ignored. Two weeks later it ramped up into something altogether different. 

In a joint and coordinated announcement and series of blogs, Flashpoint, Akamai, Cloudflare, and RiskIQ have today explained how their researchers, together with researchers from other organizations, detected, collaborated, and ultimately neutralized the botnet.

The initial August 2nd attacks were minimal, suggesting the malware was in development or in the early stages of deployment. “More prolonged attacks have been identified starting on August 15th, with some events sourced from a minimum of 70,000 concurrent IP addresses,” say the reports. The targets of the attacks are not specified, but some reports suggest that several large websites in the hospitality sector were taken down.

The attacks were volumetric, attacking the application layer with HTTP GET requests disguised to look like legitimate web traffic. At this level, the attacks were soon detected by multiple cyber security firms, and the collaboration began.

When it did, “the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system.” 

Advertisement. Scroll to continue reading.

Analyses of logs from August 17 attacks implicated a particular Android app. Searches using variations of the application name and parameters in the application bundle revealed multiple additional applications from the same, or similarly named authors, with comparable descriptions. Around 300 apps were located. The attacks themselves seem to have come from more than 100 different countries, indicating a wide and successful distribution of the malicious apps.

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” says Google. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”

Many of the apps appear to be legitimate with benign functions, such as media/video players, ringtones or tools such as storage managers — but “with additional hidden features that were not readily apparent to the end users that were infected.” This malware stayed alive and active in background even when the app itself was not in use.

Existing anti-malware tools already detect the malware as ‘Android Clicker’, leading the researchers to believe it started life as click fraud malware that was later repurposed as a DDoS tool.

This was not a botnet ‘takedown’ (such as Kelihos earlier this year) in the usual sense, where industry and law enforcement combine to locate and ‘seize’ or sinkhole the C2 server or servers (although the researchers do proffer their thanks to “the FBI for their assistance in this matter”). This is more a neutralization than a takedown. The collaborative research by the vendors has resulted in isolating the rules that can stop the malformed GET (and potentially also POST) traffic, while Google’s efforts to locate and remove the apps from the Play Store (and cleanse infected devices) stops them being originated.

Almost more important than the botnet neutralization, however, is this new example of collaboration between the different companies concerned. “This research is exciting because it’s a case study in just how effective collaboration across the industry is,” said Allison Nixon, director of security research at Flashpoint. “This was more than just a malware analysis report. The working group was able to connect the dots from the victim to the attacker. The group also used the information to better mitigate the attack and dismantle the botnet — and this was completed very quickly.”

Akamai’s senior network architect and security researcher, Jared Mauch, added, “In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner.”

“I’m proud of our research team and the researchers who worked together to rapidly investigate and mitigate this dangerous new discovery,” said Matthew Prince, co-founder & CEO of Cloudflare.

“The WireX botnet operation shows the value of a collaborative response from security firms, service providers, and law enforcement,” said Darren Spruell, threat researcher at RiskIQ.

The hope is that this success becomes a repeated example of how the global industry can collaborate to defeat global threats. “This report is an example of how informal sharing can have a dramatically positive impact for the victims and the Internet as a whole,” conclude the researchers. “Cross-organizational cooperation is essential to combat threats to the Internet and, without it, criminal schemes can operate without examination.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.