In August 2016, ESET researchers discovered a new Trojan, Twitoor, targeting Android devices. Twitoor uses a Twitter account to control infected devices, as opposed to a C2 server. Twitter communication channels are more difficult to discover and block, and it is very easy for the attacker to redirect communications to a newly created Twitter account should the previous one get compromised or suspended. Twitoor is a dropper Trojan designed to establish contact with a malicious Twitter account to receive instructions on actions to take, such as downloading additional payloads and switching to different accounts. It is believed to be distributed by SMS messages and malicious URLS. Twitoor disguises itself as an adult video player app or MMS application but, when installed, it proceeds to download multiple versions of mobile banking malware and can use the infected device as part of a botnet.
- ESET provides technical details on the Twitoor malware, available here.