When Androids Attack: Protecting Against WireX Botnet DDoS Attacks

By: Mohammed Al-Moneer, Regional Director, MENA at A10 Networks

It appears Mirai may have some competition. And its name is WireX.

Google recently removed roughly 300 apps from its Play Store after researchers found that the apps in question were secretly hijacking Android devices to feed traffic to wide-scale distributed denial of service (DDoS) attacks against multiple content delivery networks (CDNs) and content providers.

The WireX botnet is to blame. Akamai researchers first discovered WireX when it was used to attack one of its clients, a multinational hospitality company, by sending traffic from hundreds of thousands of IP addresses.

The malicious applications in question included media and video players, ringtones and other tools like storage managers. According to Gizmodo, the nefarious apps contained hidden malware that could use an Android device to participate in a DDoS attack as long as the device was powered on.

It’s unclear how many devices were infected – one researcher told KrebsOnSecurity that WireX infected a minimum of 70,000 devices, but noted that estimate is conservative. It is believed that devices from more than 100 countries were used to participate in the attacks.

Protecting Mobile Networks from Weaponized Smartphones

WireX, much like its predecessor Mirai, illustrates the importance of protecting your network and applications from attacks. Large-scale attacks can come from anywhere, even a botnet comprising tens of thousands of Android devices. As these types of attacks grow in frequency, sophistication and size, organizations need to solutions in place to stop them before they have the opportunity wreak havoc.

WireX is unique in that it introduces a new threat: Weaponized smartphones, which introduces billions of endpoints ripe for infection that can propagate bad agents upon a mobile network.

Traditionally, mobile and service provider networks are protected against attacks that come in through the Internet. However, many critical components are left unprotected based on the assumption that attacks will be stopped at the Internet edge. Attacks like WireX change this paradigm.

WireX proves that attacks can originate from inside a mobile network as well, and a few thousand infected hosts can affect the brain of a mobile network. These infected smartphones will eventually start to attack the critical components of mobile networks, and the potential fallout from that could be tremendous.

Attacks like WireX reinforce the need for service providers to protect their key assets on all fronts – not just from attacks from the outside, but from the inside as well.

WireX botnet news is yet another example of seemingly harmless apps being hijacked and used for large-scale DDoS attacks. WireX is an app store delivery problem, but as is often the case, there is probably more - careless employees, poor security hygiene, lack of multi-factor authentication, etc. How often has does this happen? Do IT professionals even know when it does? A10 Networks’ recent research throws up some interesting findings:

38% of IT decision-makers say their company endpoints and infrastructure have suffered a botnet attack at least once; 12% are not sure if this has occurred.

One in four (27%) of employees surveyed doesn’t know what a botnet is – and one out of three (37%) employees surveyed aren’t familiar with DDoS attacks – making it hard to protect someone when they don’t know what the dangers are. 

Almost half (48%) of IT leaders agree or strongly agree that their employees do not care about following security practices. 

Only two of five (41%) employees claim responsibility for the security and protection of non-business apps they use. 

To combat attacks like WireX, service providers and mobile network operators need an intelligent, scalable DDoS defense solution between smartphones and the mobile network infrastructure, both the internal and external. To address this sophisticated type of attack, a modern DDoS solution requires intelligence to understand the changing nature of a polymorphic attack, which has the ability to change signatures and varying headers, like those launched by WireX.

Placing high-performance, scalable and intelligent threat protection in the mobile network will help service providers defend against these billions of weaponized endpoints and empower them to detect online threats and multi-vector attacks types of attacks, learn from them and, most importantly, stop them.