Google has removed roughly 300 apps from its Play Store after security researchers from several internet infrastructure companies discovered that the seemingly harmless apps—offering video players and ringtones, among other features—were secretly hijacking Android devices to provide traffic for large-scale distributed denial of service (DDoS) attacks.
The botnet, nicknamed WireX, caught the attention of security researchers at the content delivery network Akamai when it was used to attack one of its clients earlier this month. Akamai’s client, a multinational hospitality company, was hit with traffic from hundreds of thousands of IP addresses.
“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” a Google spokesperson said in a statement. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”
The nefarious apps provided a variety of apparently legitimate services, with malware hidden underneath that could use an Android device to quietly participate in a DDoS attack, so long as the device was powered on. It’s not clear how many devices were infected—one Akamai researcher told journalist Brian Krebs that that number could be around 70,000.
After noticing the attack on one of its customers, Akamai brought in researchers from a handful of tech companies including Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, and Team Cymru. The group believes that the infected devices are spread throughout 100 countries.
In one instance, a WireX attack was accompanied by a ransom email, Cloudflare’s head of trust and safety Justin Paine told Gizmodo.
“Once the larger collaborative effort began, the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system,” the researchers wrote in a joint blog post. “The best thing that organisations can do when under a DDoS attack is to share detailed metrics related to the attack. With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible.”
This is just the latest example of apps containing malware making their way into the Google Play Store. Earlier this month, Google booted several apps that contained hidden surveillance software. Just last week, researchers found banking malware in the Play Store. With all these apps sneaking into Play, it’s up to you to protect yourself and your Android device. If you’re ever in doubt about whether an app is safe, do some research on the developer and check out what permissions the app wants on your phone. [Akamai, Krebs on Security]