WireX is a large botnet that leverages Android-powered mobile devices to perform distributed denial-of-service (DDoS) attacks on targets. Network traffic generated by WireX was discovered by researchers on August 2, 2017 and the source of the malware infections that formed the botnet was traced to approximately 300 mobile apps available for download on the Google Play Store. These malicious apps masqueraded as legitimate software such as file managers, video players, and ringtones and even performed their advertised functions; however, the apps also included a function that would run in the background, causing the Android device to connect to a remote server. This server, controlled by the hacker behind the campaign, was used to send commands to the infected zombie devices, directing them to send junk network traffic simultaneously to a target website with the intention of knocking it offline for a period of time. Researchers at Akamai, a content delivery network and cloud service provider, reported that a minimum of 70,000 Android devices had been infected by WireX, but they claim to have seen between 130,000 and 160,000 unique IP addresses originating in over 100 countries involved in attacks on their platform. Some features of WireX include using its own "headless" web browser that is invisible to the user of the device and encrypting network traffic using SSL.
The largest detected attack by WireX occurred on August 17, 2017, impacting multiple content delivery networks and content providers. By August 28, multiple companies published press releases outlining how collaboration efforts succeeded in quickly dismantling the botnet.
Reporting and Technical Details:
- August 2017: Tech Firms Team Up to Take Down "WireX" Android DDoS Botnet (KrebsOnSecurity)
- August 2017: The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack (Flashpoint)
- August 2017: Google Removes 300 Android Apps that Secretly Hijacked Phones for DDoS Attacks (The Verge)
- September 2017: Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks (SecurityWeek)