Connect with us

Hi, what are you looking for?


Mobile & Wireless

Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks

Variant of WireX Android Botnet is Able to Deliver High-volume UDP Flood DDoS Attacks

Variant of WireX Android Botnet is Able to Deliver High-volume UDP Flood DDoS Attacks

When several tech companies combined to analyze and hopefully control a new Android-based botnet they called WireX, they described it as focused on low bandwidth HTTP(S) attacks using POST and GET. They missed one variant subsequently analyzed by Qihoo Technology’s 360 Flame Labs. This variant of WireX is able to deliver high-volume UDP flood attacks.

Both F5 Networks and Akamai have subsequently analyzed this ‘new’ variant. Akamai admits that it was ‘essentially overlooked’ by the original researchers until found and analyzed by Qihoo’s Labs. F5 appears to have found it independently. Worryingly, a single bot is capable of generating over 250GB of attack traffic per attack directive.

The analyses show that the INSMainActivity component “runs the show and is responsible for both preliminary bootstrapping and spinning up the command and control (C2) polling services.” It polls the for commands. If it receives a response where the <title> tag is not empty, it spins up the AsyncTask/Vpxbjlowiwzg service. This in turn generates the C2 polling threads, one of which is responsible for the UDP attack logic, including sending out the UDP traffic.

If the initial C2 response contains both a <title> tag and the string ‘snewxwri’ (WireX is so-named from an anagram of the final 5 characters), then the attack directive string is split() into an Array on this delimiter value. The delimiter separates the target IP address and the port to attack (which is 1337 in Akamai’s analysis).

“The UDP attack traffic exiting the infected device uses fairly generic attack characteristics and offers no customization capabilities for the attacker.” In this variant/version, the attacker has no options over the packet size, or padding content for the UDP attack — the bot receives its instructions and runs its attack cycle. Each packet is null (0x00) padded to a length of 512 bytes.

The bot spins up 50 threads. Each thread runs until 10,000,000 packets have been directed at the target, and is replaced by the next thread. “It is possible,” writes Akamai, “a victim could receive many more than 500,000,000 packets per a given attacking source.  At these rates, a single host is capable of generating over 250GB of attack traffic per attack directive received.”

The attack rate is dependent on the speed of the delivering device and its network connections. “The code does not throttle the attack, and as a result will use all resources available on the device. We noticed our Android phone got surprisingly hot to the touch as a result.”

Advertisement. Scroll to continue reading.

WireX is more complex and dangerous than originally thought. “Discovering, and ultimately confirming, that WireX can also launch UDP-based volumetric attacks is important, as they are more likely to impact additional applications and OSI layers. This further expands the botnet’s capabilities, raising additional concerns for defenders.” No definite WireX UDP DDoS attack has yet been seen.

“Initial samples of WireX were flagged as click fraud malware,” comments Akamai. 

F5 offers a possible explanation:  one command that is triggered only when the application launches is served by the URL. “It results in the malware opening the default Android browser 10 times and browsing the target URL, which just seems like some basic clickfraud functionality,” comment the F5 researchers.

“While it’s easy to see how a click fraud bot could be easily repurposed to carry out HTTP(S) attacks, adds Akamai, “this discovery and our research all but confirms that WireX wasn’t a click fraud botnet being repurposed to perform DDoS attacks. WireX was purpose built to engage in DDoS attacks from the start. To what end (ransom, ddos-for-hire, etc.), has yet to be fully realized.”

F5 also points out that despite the basic nature of the UDP attack itself, “it has good market differentiation in its HTTP functionality. Being based on Android’s WebView class, the thingbot [the term used for IoT-based botnets, such as Mirai] is better equipped with browser-like functionality, making it more resistant to various bot challenges, such as cookie support, redirects, and JavaScript, which are still an obstacle for many DDoS malwares.”

What does seem clear is that WireX is at the early stages of its evolution — but already shows indications that it could develop into a serious threat.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.