Security researchers have uncovered the first ever Twitter-controlled Android botnet, which acts as a backdoor to download malware onto infected devices. Dubbed Twitoor, the malicious app is not available on any official Android app stores. Researchers believe that the botnet is possibly distributed via SMS or malicious URLs.
According to cybersecurity firm ESET, the botnet is stealthy and capable of hiding its existence on infected devices. The botnet also masquerades as a porn player app or and MMS app but does not come equipped with the functionalities of either.
"Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet," says Lukáš Štefanko, the ESET malware researcher who discovered the malicious app.
Twitoor has been active for a month and has been downloading several variants of mobile banking malware. More alarmingly, the botnet is also capable of distributing ransomware any time in the future, according to ESET.
"Twitoor serves as another example of how cybercriminals keep on innovating their business. The takeaway? Internet users should keep on securing their activities with good security solutions for both computers and mobile devices," Štefanko cautioned.
The developers of the botnet have added encrypted messages and complex topologies of the C&C (command and control) servers such as using social media when communicating. These are aimed at avoiding any detection from security agents. These functionalities can also be viewed as a defence tactic to safeguard the C&C servers, which play a key role in such botnet-related cybercrime ventures.
According to ESET, the cybercriminals are specifically looking to enhance the resilience of the botnet's communications, as a seizure of C&C servers by authorities could eventually lead to a complete disclosure of the botnet's activities.
"These communication channels are hard to discover and even harder to block entirely. On the other hand, it's extremely easy for the crooks to re-direct communications to another freshly created account. In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks," Štefanko said.