WireX Android DDoS botnet that infected numerous phones in over 100 countries shut down

A massive Android DDoS botnet known as WireX was taken down by a collaborative effort of several cybersecurity firms. The botnet was detected on 17 August, when multiple targets came under attack from it. WireX targeted various industries, most notably the hospitality, porn and gambling sectors.

Over 300 apps on Google Play were part of the WireX botnet, which Google has since removed. However, at its peak, the botnet infected a minimum of 70,000 Android systems and controlled over 150,000 IP addresses. According to security experts, the hackers made it especially challenging for firms to defend against the botnet's DDoS attacks by spreading them out over numerous phones across the globe and hiding them within common Web requests.

Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle, RiskIQ and Team Cymru were among those who worked collaboratively to shut down WireX.

Experts believe that the botnet was still in its infacy, with its operators working to scale up its attack powers.

"Evidence indicates that the botnet may have been active as early as August 2, but it was the attacks on August 17th that drew the attention of these organizations," the researchers said in a joint statement released by all of the collaborative security firms, adding that the cybercriminals operating WireX also sometimes sent victims ransom notes.

"We believe we identified this botnet and took action while it was still in the early stages of growing," Justin Paine, head of trust and safety at content delivery network Cloudflare, told ArsTechnica. "Luckily, the efforts of this group detected and took action against this botnet before it had a chance to grow much larger."

"To my knowledge, it is one of the biggest mobile botnets used to conduct attacks," Paine said, Threatpost reported.

The collaborative takedown of the botnet was reportedly prompted by the massive DDoS attacks launched by the infamous Mirai botnet last year. According to Flashpoint director of security research Allison Nixon, the Mirai attacks provided a call to arms to the infosec community to collaborate further in eliminating major threats.

"When those really large Mirai DDoS botnets started showing up and taking down massive pieces of internet infrastructure, that caused massive interruptions in service for people that normally don't deal with DDoS attacks," Nixon said, security journalist Brian Krebs reported in his blog, Krebs on Security. "It sparked a lot of collaboration. Different players in the industry started to take notice, and a bunch of us realised that we needed to deal with this thing because if we didn't it would just keep getting bigger and rampaging around."

Security experts believe that WireX may have initially been developed for "click fraud", which is a type of online advertising fraud that cost businesses an estimated $16bn this year alone. However, the researchers suggest that WireX was likely later repurposed to launch DDoS attacks.

The researchers said although the apps that housed WireX's attack functions were malicious, they appeared "benign to users who installed them". The apps capitalised on certain Android features that allow them to use system resources, even while functioning in the background. This in turn allowed the apps part of the WireX botnet to launch attacks even when they were not in use.

"Antivirus scanners currently recognise this malware as the 'Android Clicker' trojan, but this campaign's purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS," the researchers said.

"These are pretty miserable and painful attacks to mitigate, and it was these kinds of advanced functionalities that made this threat stick out like a sore thumb," Akamai senior engineer Chad Seaman said.