On August 17th, a botnet that would later be named WireX struck the 'net, DDoSing a handful of CDNs and content providers. Cloudflare just revealed the details of the DDoS and the fight against it in a recent blog post. Researchers at the company as well as other affected organizations were able to combat the botnet by determining the source, which was primarily found to be Android devices running malicious applications, some of which were distributed by the Play Store. Google was then notified, and hundreds of offending applications were removed from the Play Store.
Cloudflare's estimation of the botnet's growth
Researchers from a ton of organizations, including Cloudflare, Google, and Akamai, came together to fight the botnet, which included traffic originating from over 100 countries. Upon examination, the first signs of the botnet popped up on August 2nd, though the attacks initially went ignored.
Over time, researchers were able to determine that the source of the DDoS traffic was from Android devices, and they were able to discover one application source from logs gathered in the August 17th DDoS. With that example, they then found other applications with similar malware and began work contacting app stores such as Google's to have the malware-riddled apps removed.
Some of the allegedly malware-laden apps
Google issued the following statement to Cloudflare, which was published today in the blog post:
We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices. The researchers' findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.
Most of the applications were low-quality generic app-spam, things advertised as ringtones, media players, or file explorers. They were even able to run in the background, repurposing the so-called "Android Clicker" Trojan to stay open while waiting for instructions to attack. It's surprising that the apps escaped detection if they were using known malware components.
Thankfully, Google's Play Protect is now able to detect applications which include the malware, but it is not immediately clear if any warning was previously triggered by the offending applications. Though Cloudflare's blog post makes the distinction that all the applications tested now trigger this message at installation, it's unlikely that users had to disable PlayProtect to install the apps that were distributed by Google in the Play Store.
Cloudflare's blog post makes it clear that researchers were only able to combat the WireX botnet as a result of collaboration between the organizations which were affected by it. Sysadmins and developers interested in the full technical details behind the botnet's operation, including the privileges and systems it manipulated to operate, should give Cloudflare's blog post a look.