Android app promised to serve news updates, served ESET with a DDoS attack instead
Last Updated on by Segun Ayo
ESET has been forced to fend off a DDoS attack facilitated by a malicious news app hosted in the Google Play Store.
On Monday, ESET researcher Lukas Stefanko described how the app, named “Updates for Android,” promised users a free daily news feed. The app appeared to gather good reviews with an overall score of 4.3, but secretly, the software was creating a bot of slave devices in order to launch Distributed Denial-of-Service (DDoS) attacks.
First uploaded to Google Play on September 9, 2019, the Android app proved popular and accounted for over 50,000 installs at its peak.
Updates for Android posed as legitimate software by offering some news feeds and only introduced functionality that could be abused for malicious purposes in its most recent update.
“We don’t know how many instances of the app were installed after the update or were updated to the malicious version,” ESET noted.
Following its update, the malicious app pinged a command-and-control (C2) server belonging to its operator for commands every 150 minutes. The ID of each device with an active install of the app was also forwarded to the server.
The DDoS attack launched against the eset.com website took place in January this year. The cybersecurity firm says that the DDoS assault lasted for roughly seven hours using over 4,000 unique IP addresses, with thousands of instances originating from active Updates for Android installations.
Only a small number of user devices appear to have been involved in the DDoS attack against the cybersecurity firm. However, ESET says that tracking the C2 revealed other scripts being served in attacks against e-commerce and news websites — many of which are based in Turkey.
ESET tracked the source of the DDoS and informed Google of its findings. The app has now been removed from Google Play.
Updates for Android has a corresponding website, i-updater[.]com, which remains active as the domain itself is not malicious and, therefore, there are no current grounds for a takedown request. The malicious app is also still available on third-party, unofficial app stores.
ZDNet has reached out to Google and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0