Researchers at the security firm ESET discovered a new malicious android app named “Updates for Android” that was used by attackers to launch DDoS attack on ESET’s global website www.eset.com.
According to a recent blog published by Lukas Stefanko from ESET Labs, during mid-January, researchers at ESET found this DDoS trojanized app claiming to provide daily news updates for its users but in reality, it was infecting android devices to carry out DDoS attacks on websites.
ESET analyzed the DDoS attack they experienced and found out that it was originated from more than 4,000 unique IP addresses and lasted for seven hours targeting the company’s website.
Further in the analysis, they saw that the app was first uploaded to the Google Play Store on September 9, 2019, listed under the System Apps category and has more than 50 thousand installs.
The app displays news feed to avoid suspicion but its main function is to receive commands from a pre-defined website that serves as a
Command and Control server (C&C).
“The DDoS attack starts with the compromised device receiving a command to load the attacker’s script that specifies the targeted domain.
Once the script is loaded, the device starts making requests to the targeted domain until it is served with another script by the C&C server which may contain a different target domain,” further reads the blog.
ESET has also provided IOCs for this malicious app:
Package Name: com.world.hello.myapplication Hash:34A6BD8B96729B6F87EC5E4110E02BEE1C76F5A9 Detection: Trojan.Android/Hiddad.AJN
The malicious “Updates for Android” app is now removed from the Google play store basis on ESET’s notice but it is still available in few unofficial app sources.