Hundreds of thousands of home routers, IP cameras and other internet-of-things devices have been infected with malware over the past year and have been used to launch some of the largest distributed denial-of-service (DDoS) attacks ever recorded. Attackers are now doing the same with Android devices, with the help of malicious applications hosted on Google Play and other third-party app stores.

A joint investigation by the security teams from Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru has led to the discovery of a large botnet made up of over 100,000 Android devices located in more than 100 countries. The investigation was launched in response to large DDoS attacks that have hit several content providers and content delivery networks over the past few weeks.

The goal behind DDoS attacks is to flood servers with bogus traffic in order to use up their available internet bandwidth or their CPU and RAM resources so they can no longer serve requests from legitimate users. Servers are typically configured to handle a certain number of concurrent connections based on the estimated number of visitors that they're expected to receive. Load balancers, firewalls and other anti-DDoS technologies are used to limit the negative impact of any sudden traffic spikes, but with enough firepower, attackers can disrupt even the most well-protected networks.

This particular Android botnet, which has been dubbed WireX, was used to send tens of thousands of HTTP requests that were meant to resemble those coming from legitimate browsers. The researchers were able to establish a pattern to the User-Agent string reported by the rogue clients and traced them back to malicious Android applications. Some of the applications were available in third-party app stores that came pre-installed on devices, but around 300 of them were hosted on Google Play.

"Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected," the researchers said in a report. 

Google has removed the malicious applications from Google Play and started to remotely remove them from affected devices as well. Furthermore, the Play Protect feature which runs locally on Android devices prevents these apps from being reinstalled, the researchers said.

Source: Forbes.com