ESET has been compelled to fend off a DDoS assault facilitated by a malicious information app hosted within the Google Play Retailer.
On Monday, ESET researcher Lukas Stefanko described how the app, named “Updates for Android,” promised customers a free each day information feed. The app appeared to collect good evaluations with an general rating of 4.3, however secretly, the software program was making a bot of slave gadgets with a view to launch Distributed Denial-of-Service (DDoS) assaults.
First uploaded to Google Play on September 9, 2019, the Android app proved in style and accounted for over 50,000 installs at its peak.
Updates for Android posed as professional software program by providing some information feeds and solely launched performance that might be abused for malicious functions in its most up-to-date replace.
“We do not know what number of cases of the app have been put in after the replace or have been up to date to the malicious model,” ESET famous.
Following its replace, the malicious app pinged a command-and-control (C2) server belonging to its operator for instructions each 150 minutes. The ID of every machine with an lively set up of the app was additionally forwarded to the server.
The DDoS assault launched in opposition to the eset.com web site befell in January this 12 months. The cybersecurity agency says that the DDoS assault lasted for roughly seven hours utilizing over 4,000 distinctive IP addresses, with hundreds of cases originating from lively Updates for Android installations.
Solely a small variety of consumer gadgets seem to have been concerned within the DDoS assault in opposition to the cybersecurity agency. Nonetheless, ESET says that monitoring the C2 revealed different scripts being served in assaults in opposition to e-commerce and information web sites — a lot of that are based mostly in Turkey.
ESET tracked the supply of the DDoS and knowledgeable Google of its findings. The app has now been faraway from Google Play.
Updates for Android has a corresponding web site, i-updater[.]com, which stays lively because the area itself just isn’t malicious and, due to this fact, there are not any present grounds for a takedown request. The malicious app can also be nonetheless accessible on third-party, unofficial app shops.
ZDNet has reached out to Google and can replace after we hear again.
Earlier and associated protection
Have a tip? Get in contact securely by way of WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0