Twitter-Controlled Android Botnet Discovered

Twitter-Controlled Android Botnet Discovered

Security researchers at ESET have discovered an Android botnet that uses Twitter instead of the traditional command-and-control (C&C) server to infect devices. The company claims the discovery is the first of its kind, and a potential new vector for cybercriminals to exploit.

The botnet has been dubbed Android/Twitoor by ESET researchers and has been around for a month or so, having been discovered in July 2016. It is disguised as a pornography app, or an MMS app but actually contains a mobile banking trojan. Users get infected through SMS or malicious URLs, rather than through downloading an app via an official Android app store, ESET said.

Once launched, the malware remains hidden on the infected system, checking a predefined Twitter account at regular intervals for instructions. Generally it then either downloads further malware or switches the Twitter account it uses instead of a C&C server.

ESET researchers said this discovery shows that cyber-criminals are adapting their methods to defeat security defenses. “Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” said Lukáš Štefanko, the ESET researcher who discovered the botnet.

“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” he added.

What’s interesting about this development is that it sidesteps one of the more effective ways of stopping the spread and effectiveness of botnets: the C&C server. If authorities take a C&C server offline, the botnet operation generally goes offline as well. With Twitoor, it seems that if the Twitter account is banned, the botnet can simply switch to another to receive its instructions.

It’s likely that cyber-criminals will continue to adopt innovating methods such as this, Štefanko added. “In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks,” he said.

Photo © BeeBright

Source: Information Security Magazine