The Android Play Store keeps on making to the news due to various malicious apps. However, this time, the app in question didn’t target the users specifically. Rather this Android app targeted the ESET security firm’s website with DDoS attacks.
Android App Does DDoS Attacks On ESET
In a recent post, ESET researcher Lukas Stefanko revealed details about an Android app that targeted the ESET website with DDoS attacks.
Briefly, the app dubbed as “Updates for Android” appeared on the Play Store as a news update app. It linked back to the website i-updater[.]com that looked promoted the app. It apparently looked and remained pretty harmless, consequently earning thousands of downloads.
However, according to ESET analysis, the only malicious trait in this app was its ability to load and execute malicious JS on the target device.
Initially, this ability was not present in the app when it first appeared online in late 2019. Hence, it avoided any checks by Google Play Store’s security.
However, following a recent update around two weeks ago, the app received this ability.
As a result, it turned the devices of all its users into its botnet. The app started downloading malicious JavaScript from the attacker’s server to run on users’ devices. Also, it displayed ads on the devices via device browsers and hid app icon.
However, the ability to execute JS is what the threat actors used to wage a DDoS attack. As stated by the researchers,
The DDoS attack starts with the compromised device receiving a command to load the attacker’s script that specifies the targeted domain. Once the script is loaded, the device starts making requests to the targeted domain until it is served with another script by the C&C server which may contain a different target domain.
Since the app targeted ESET’s website, the researchers quickly detected the source behind the attack.
App Now Taken Down
Upon detecting the malicious app, ESET got in touch with Google, who eventually removed the app.
Though, the researchers stated that the website (i-updater[.]com) remained up as it was not malicious. However, when LHN checked the website, it merely appeared a blank page. Even the page source did not show any text besides some codes for site layout.
It means that either the threat actors behind the app are planning to go underground. Or, they have merely flashed the site to rebuild it again in a new manner.
Let us know your thoughts in the comments.