Malicious App in Google Playstore Used For DDoS Attack on ESET Website

An app from Playstore named Updates for Android has served malware and grouped devices to launch a DDoS attack. This was reported by ESET researchers, who were the victims of this app’s DDoS attack and informed Google to be removed later. Besides gaining devices for an attack, it was also involved in ad fraud and has gained over 50,000 installs from Google Playstore.

Source: ESET
Source: ESET

Ad-fraud and DDoS attack

Though installing from official app stores like Google Playstore is recommended, threat actors will somehow manage to sneak in their malicious apps into it. And users installing will be facing consequences like data theft, ad fraud, or being served in IoT botnets. Here’s one such network created by an attacker, who, under his malicious app as Updates for Android, created a botnet to attack a cybersecurity website!

Malicious App in Google Playstore Used For DDoS Attack on ESET WebsiteESET researcher, Lukas Stefanko described an incident regarding a DDoS attack happened on their website, back in January. This was performed by an unknown operator, who started with an app from Google Playstore. The app, Updates for Android has over 50,000 downloads from Playstore but has malware in it for two weeks before attacking the website, eset.com.

After being installed, it did serve news to look legitimate but also indulged in ad fraud. Besides displaying in-app ads, it’s also displaying ads from the device’s default browser, without any permissions. Further, two weeks before launching the DDoS attack on eset.com, it started gathering devices by infecting and adding to its botnet.

Attaining the purpose

The app’s JavaScript was constantly contacting the operator’s remote server for every 150 minutes and taking commands. And one fine day in January, it attacked eset.com site with over 4,000 inauthentic devices, taking the site down. The takedown lasted for seven hours, before bringing up the site again.

ESET researchers have tracked back the operator’s C2 server and tried to know the attacker. In this pursuit, they found many other scripts that are supposed for attacking e-commerce and news websites, mostly based in Turkey. The researchers have informed Google about this, and the app was taken down. Yet, it’s still available in third-party app stores.

Via: ZDNet

LEAVE A REPLY

Please enter your comment!
Please enter your name here