Lukas Stefanko: How we fought off a DDoS attack from a mobile botnet

Hot on the heels of his research into an attack that attempted to take down ESET’s website, Lukas Stefanko sheds more light on threats posed by mobile botnets

Hot on the heels of his research into an attack that attempted to take down ESET’s website, Lukas Stefanko sheds more light on threats posed by mobile botnets

In the course of fighting off a DDoS attack on ESET’s infrastructure, ESET researchers discovered a malicious mobile app used to make the flood of requests to its website. ESET Malware Researcher Lukas Stefanko analyzed the app and published his findings yesterday. We sat down with him to ask a few follow-up questions.

The attack was conducted using a mobile app – is it a common vector for DDoS attacks?

On one hand, mobile-based DDoS attacks are quite rare. DDoS attacks are still typically launched via personal computers or servers. However, the times, they are changing. Mobile devices grow more powerful, their connectivity grows faster… If their share on the overall internet traffic, I mean in the consumer space, is set to surpass computers – we can’t expect the criminals to stay shy from using them for their attacks.

By the way, the capability to perform a DDoS attack is missing in the MITRE ATT&CK knowledge base of malicious mobile techniques. We’ve submitted it as a new technique because we think this threat will keep growing and that defenders should be aware of it.

The attack on our infrastructure serves as a good illustration: the criminals managed to reach over fifty thousand installs with their app, which is by no means a low number. However, in the past, there were numerous cases of mobile adware reaching millions of installs before being detected. This shows that it’s possible to quickly build a relatively strong botnet.

Criminals tend to follow some goals with their action. Do you have any clue what their goal was with that DDoS attack?

In short – no, we can only speculate. However, the only net effect of the attack was that they exposed their botnet, we reported the app they used and it has been taken down from the Play store and wiped from the users’ devices – those with the Google Protect feature turned on. Practically, this DDoS tool no longer exists.

So, game over?

Well… with a few caveats, yes.

The app may have been downloaded also from unofficial app stores and there are no means for wiping those installs from the infected devices. Also, the app may be still lurking at some places outside the Play store. However, we haven’t seen any such distribution mechanism, so, in my opinion, this is not a real threat.

Besides that, the website that acts as C&C server is still functional. However, without a significant number of infected devices, the website is useless.

How come no security mechanism detected the app prior to it being listed onto the official Android store?

Look, the diversity of apps is beyond imagination. The number of features is high, and their combinations are endless. Despite this, the apps that are outright malicious get caught, with rare exceptions. In this particular case, the app that was, ultimately, used for the attack, is not malicious per se. It is capable of contacting a defined website and loading a script from it – a feature which is quite standard in many apps. And it’s the script what makes the app malicious.

Probably, all the apps that have the functionality of downloading anything should be examined taking the downloaded content into account…

Unfortunately, it’s not that simple. Keep in mind that what the app downloads may be changed at any moment…

Does this mean that there is no viable way to prevent this type of malicious app from sneaking into the Store?

Well, while I’m not going to disclose any details, we’ve improved our detection systems. So, based on this experience, chances are that we will be able to flag similar Trojans to Google.

Given the fact that safeguarding an app store can never be bulletproof – seems that there is a need for additional protections at the endpoint level…

This is nothing new, nor is it limited to any particular platform. With the ever-growing variability and sophistication of attacks, you can never rely on a single layer of protection. Ideally, you should defend yourself at every point of the attack chain – starting with securing the source, all the way through post-execution stages, should the malware reach them.

I’d like to stress that, based on what we have learned by analyzing this attack, we have improved our detection mechanisms, including our machine learning-based detections.

So similar malicious apps should be prevented from sneaking to devices protected by ESET’s mobile security solution?

In principle, yes. Our users should be safe from this threat. However, the improvements I mentioned relate mostly to post-processing protective technologies – which means the threat might make it onto the device.

After the malware gets processed by our backend system and the newly created detections are pushed onto the protected devices, the malicious app would be detected and flagged to the user.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center