WireX Botnet Taken Down – Android DDOS Botnet Neutralized

In the last few weeks their was constant DDOS attack against multiple Content Delivery Networks (CDNs) and content providers by a botnet named ‘WireX’. There was a cross-industry collaborated effort between various CDNs and technology industries has led to successful dismantling of WireX Botnet.

What is WireX?

WireX is a botnet that was hidden in thousands of malicious apps like like games, media player, storage managers in google playstore which when installed in an android devices, starts a DOS attack against a CDN. These bots where controlled by a remote Command and Control Server. When a group of these bots does a combined attack, it becomes a DDOS with increased severity.

According to statistics in the beginning of this month “WireX” botnet had already infected over 120,000 Android smartphones which was enough for a massive DDOS attack against targeted servers.

The Takedown

Cyber security researchers from different countries security companies like CloudFlare, Google, Oracle  spotted these attacks and they collaborated to combat it. This botnet used a new class of attacking scripts that are difficult to defend against and thus require wider industrial cooperation to defeat.

Google has removed more that 300 infected apps from playstore and they are still scanning for infected applications. Google Play Protect is a new feature that helps you keep your device safe and secure. It runs a safety check on apps from the Google Play Store before you download them. If you have latest version of the Android that have Google’s Play Protect feature, it will automatically remove WireX apps from your device, if you have one installed.

“In terms of risk from this botnet, at this point it’s largely neutralized and most of the phones have been cleaned up.” — Justin Paine, head of trust and safety at Cloudflare.

Severity of this attack has been diminished. Most of the Command and Control Servers have been shutdown and the remain up and running servers are about to be taken down.

WireX shares so many similarities such as code, names and icons with previously known malware called Android Clicker, which means the creator may be the same and he has just moved to DDOS attack in the recent past.

Akamai’s inter networking research team informed that they were able to identify the tools and codes used in the attack and decompile them to find the CNC servers that was actually controlling these botnets.