A malicious Android app infected 50K+ devices and DDoSed antivirus firm ESET

A malicious Android app infected 50K+ devices and DDoSed antivirus firm ESET

Researchers at the security firm ESET discovered a new malicious android app named “Updates for Android” that was used by attackers to launch DDoS attack on ESET’s global website www.eset.com.

According to a recent blog published by Lukas Stefanko from ESET Labs, during mid-January, researchers at ESET found this DDoS trojanized app claiming to provide daily news updates for its users but in reality, it was infecting android devices to carry out DDoS attacks on websites.

Image (welivesecurity): The malicious “Updates for Android” app removed from the Google Play Store.

ESET analyzed the DDoS attack they experienced and found out that it was originated from more than 4,000 unique IP addresses and lasted for seven hours targeting the company’s website.

Further in the analysis, they saw that the app was first uploaded to the Google Play Store on September 9, 2019, listed under the System Apps category and has more than 50 thousand installs.

“The app’s only malicious functionality relied on its ability to load JavaScript from an attacker-controlled server and execute it on the user device. This explains why the app made it onto the Play store,” reads the blog by Lukas.

The app displays news feed to avoid suspicion but its main function is to receive commands from a pre-defined website that serves as a
Command and Control server (C&C).

Image (welivesecurity): List of commands that could be executed by this malicious app

The C&C server then sends a command to infected devices to further display ads in the user’s default browser, hide its presence by hiding the icon, and finally execute arbitrary, remotely supplied JavaScript to make it a part of a botnet and launch DDoS via that botnet.

“The DDoS attack starts with the compromised device receiving a command to load the attacker’s script that specifies the targeted domain.
Once the script is loaded, the device starts making requests to the targeted domain until it is served with another script by the C&C server which may contain a different target domain,” further reads the blog.

ESET has also provided IOCs for this malicious app:

Package Name: com.world.hello.myapplication
Hash:34A6BD8B96729B6F87EC5E4110E02BEE1C76F5A9
Detection: Trojan.Android/Hiddad.AJN

The malicious “Updates for Android” app is now removed from the Google play store basis on ESET’s notice but it is still available in few unofficial app sources.

Source: welivesecurity

Share with your friends:

Leave a Reply

Your email address will not be published.