Android Security News: 300 Apps That Reportedly Aid DDoS Attacks Removed From Google Play
Up to 300 applications were removed by Google from its Play Store after it found out that these have aided a distributed denial of service attack on several Content Delivery Networks and cloud service providers earlier in August.
In mid-August, Akamai (one of the attacked CDNs) reported that their servers and security analysts were able to monitor "prolonged" DDoS attacks.
For a DDoS attack to work, the cyber crooks first have to infect a vulnerable computer with a type of malware that can easily spread to a network of machines with the same vulnerability or exploits. These computers (without their owners' knowledge) then sent messages or any type of network traffic to the targeted server and caused it to drastically slow down or even crash for some periods of time.
The DDoS attack that plagued CDNs and cloud service providers in August was dubbed as WireX. It was eventually learned that it used a botnet of compromised Android devices installed with malware-infected apps.
Upon receiving Akamai's report, Google reportedly provided the statement: "We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we're in the process of removing them from all affected devices. The researchers' findings, combined with our own analysis, have enabled us to better protect Android users, everywhere."
According to Akamai, the DDoS attack they recently experienced started as early as Aug. 2. "It wasn't discovered until researchers began searching for the 26 character User-Agent string in logs," Akamai added. However, the efforts of the attacker at the time were fairly small, which indicated that the malware used was still in its early stages of spread.
The attack was then tracked, where it was discovered that it was being carried out by a WireX DDoS botnet using compromised Android devices. On Aug. 15 the company reported they had witnessed "a minimum of 70,000 concurrent IP addresses" enter their server traffic, which was enough to identify that they were being attacked.
On Aug. 17, Akamai added that they were able to discover that the attacks were linked to similar code or signature "twdlphqg_v1.3.5_apkpure.com.apk" that hinted that Android applications were being used.