In January this year, a DDoS attack targeted the security firm ESET’s global website. This attack was conducted using approximately 4,000 unique IP addresses and lasted for 7 hours. However, after detecting the malicious Android app, ESET researchers put a stop to it.

What happened

  • The attack was conducted using several instances of the “Updates for Android” app that was available on the Android app store. The malicious functionality of the app depended on its ability to load JavaScript from an attacker-controlled server and deploy it on the victim’s device.
  • The app also has a corresponding website that promotes itself as daily news updates. However, the website has not been taken down since it is not malicious.

The wider view

  • The app reached over 50,000 installs before Google promptly removed it from the Play Store after being informed of its malicious nature.
  • The app has nothing to do with system updates and its name on unofficial app stores is misleading.
  • The main functionality of the app is to receive commands from a pre-defined server that serves as a C&C server.

What the experts are saying

  • The same tactic is employed by several legitimate Android software development frameworks and kits.
  • The attackers are suspected to wait for the user base to expand before implementing the malicious functionality.

Worth noting

  • Out of the 50,000 installs, only 10% were involved in the attack.
  • This app is present in other unofficial app stores and has been displaying daily news to the users.
  • The app was first uploaded on Google Play Store in early September in 2019.

In essence

This method of DDoS attack relies on the number of infected devices available to malicious actors.
Cyware Publisher