When Androids Attack: Protecting Against WireX Botnet DDoS Attacks

It appears Mirai may have some competition. And its name is WireX.

Google recently removed roughly 300 apps from its Play Store after researchers found that the apps in question were secretly hijacking Android devices to feed traffic to wide-scale distributed denial of service (DDoS) attacks against multiple content delivery networks (CDNs) and content providers.

According to a team of researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and other organizations, the WireX botnet is to blame.

Akamai researchers first discovered WireX when it was used to attack one of its clients, a multinational hospitality company, by sending traffic from hundreds of thousands of IP addresses.

“The WireX botnet comprises primarily Android devices running malicious applications and is designed to create DDoS traffic. The botnet is sometimes associated with ransom notes to targets,” Cloudflare wrote in a blog post.

WireX used the hijacked devices to launch the volumetric application layer DDoS attacks, Cloudflare noted. The traffic generated by the attack nodes was primarily HTTP GET requests, though some variants appeared to be capable of issuing POST requests. In other words, the botnet produces traffic resembling valid requests from generic HTTP clients and web browsers.

The malicious applications in question included media and video players, ringtones and other tools like storage managers. According to Gizmodo, the nefarious apps contained hidden malware that could use an Android device to participate in a DDoS attack as long as the device was powered on.

It’s unclear how many devices were infected – one researcher told KrebsOnSecurity that WireX infected a minimum of 70,000 devices, but noted that estimate is conservative. It is believed that devices from more than 100 countries were used to participate in the attacks.

“Seventy thousand was a safe bet because this botnet makes it so that if you’re driving down the highway and your phone is busy attacking some website, there’s a chance your device could show up in the attack logs with three or four or even five different Internet addresses,” Akamai Senior Engineer Chad Seaman said in an interview with KrebsOnSecurity. “We saw attacks coming from infected devices in over 100 countries. It was coming from everywhere.”

Protecting Mobile Networks from Weaponized Smartphones

WireX, much like its predecessor Mirai, illustrates the importance of protecting your network and applications from attacks. Large-scale attacks can come from anywhere, even a botnet comprising tens of thousands of Android devices. As these types of attacks grow in frequency, sophistication and size, organizations need to solutions in place to stop them before they have the opportunity wreak havoc.

WireX is unique in that it introduces a new threat: Weaponized smartphones, which introduces billions of endpoints ripe for infection that can propagate bad agents upon a mobile network.

Traditionally, mobile and service provider networks are protected against attacks that come in through the Internet. However, many critical components are left unprotected based on the assumption that attacks will be stopped at the Internet edge. Attacks like WireX change this paradigm.

“WireX proves that attacks can originate from inside a mobile network as well, and a few thousand infected hosts can affect the brain of a mobile network,” A10 Director of Product Management Yasir Liaqatullah said. “These infected smartphones will eventually start to attack the critical components of mobile networks, and the potential fallout from that could be tremendous.”

Attacks like WireX reinforce the need for service providers to protect their key assets on all fronts – not just from attacks from the outside, but from the inside as well.

To combat attacks like WireX, service providers and mobile network operators need an intelligent, scalable DDoS defense solution between smartphones and the mobile network infrastructure, both the internal and external. To address this sophisticated type of attack, a modern DDoS solution requires intelligence to understand the changing nature of a polymorphic attack, which has the ability to change signatures and varying headers, like those launched by WireX.

Placing high-performance, scalable and intelligent threat protection in the mobile network will help service providers defend against these billions of weaponized endpoints and empower them to detect online threats and multi-vector attacks types of attacks, learn from them and, most importantly, stop them.

How A10 Helps

A10 delivers a multi-layered approach to ensure service providers’ and mobile operators’ entire infrastructure – both inside and out – is protected from threats.

For example, A10 Thunder CFW features integrated Gi/SGi firewall capabilities that protect mobile core infrastructure and subscribers from multi-vector attacks and ensure applications are highly available, accelerated and secure. Gi/SGi firewall provides highly scalable, flexible and high-performance security at strategic locations in the mobile network, particularly the Gi/SGi LAN interface with the Internet.

Gi/SGi firewall not only protects the control plane and data plane within a mobile network, but also features DDoS protection for public and private NAT IP pools to ensure the mobile core infrastructure and subscribers are protected from DDoS attacks. It can detect more than 30 IP packet anomalies with IP blacklists for deeper and more granular attack mitigation. Connection rate limiting and system-wide connection limits detect and block bad traffic. And the IPsec functionality for mobile backhaul prevents eavesdropping and delivers secure communications over wireless and Wi-Fi networks.

Meanwhile, A10 Thunder TPS, our family of high-performance DDoS protection solutions, can stop WireX-powered DDoS attacks to protect apps and networks from disruption.

Thunder TPS can mitigate polymorphic attacks such as attack signature changing and varying headers, like those launched by WireX, which requires intelligence and extensive use of RegExs. And Thunder TPS performs polymorphic attack mitigation better than other DDoS protection solutions, which rely on static signatures such as a constant header.

At the same time, Thunder TPS delivers the industry’s best scale with up to 300 Gbps at a rate of 440 Mpps. And the 100ms mitigation intervals and FPGA-based traffic acceleration mitigate attack vectors before they burden CPUs. TPS uses more than three dozen intelligence sources to block malicious traffic and escalates suspect traffic through more than 27 behavioral indicators to avoid legitimate traffic drops.

TPS is the world’s highest-performance DDoS solution to protect against megabit to terabit multi-vector DDoS attacks, like those fueled by WireX.

To learn more download our A10 Thunder TPS and A10 Thunder CFW data sheets.

Add new comment