Twitoor: The First Android Botnet to Receive Commands From Twitter

A new Android backdoor was discovered to rely on a very creative commands receiving method, ESET researchers report. Named Android/Twitoor, this newly found piece of malware doesn’t connect to a C&C server, but to a Twitter account instead.

Android/Twitoor has been around only for a month now and it is spread via SMS or phony URLs sent to users, according to researchers. It was designed in a way to download malicious apps on the victims` devices. Luckily, the malware hasn’t been found available in official Android stores.

ESET researchers say that the backdoor is imitating MMS programs or porn player app, but it does not present the functionality such software usually have. Once launched onto the infected device, it hides itself while regularly checking a defined Twitter account for commands.

An analysis conducted by researcher revealed that depending on the commands received, the malware either downloads malicious apps on the infected device or switches to another C&C Twitter account.

“Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet.”
– said the ESET’s malware researcher who discovered the malicious app, Lukáš Štefanko.

ESET explains that C&C server communication is a necessity for pieces of malware, which turn devices into botnets. Via this communication the malware regularly receives new instructions, but this easily catches users` attention. Also, if these servers are seized, they tend to disclose information about the entire botnet.

That’s why Android/Twitoor`s authors decided to secure their botnet`s communication by encryption the sent messages. They also used complex topologies of the C&C network and new communication methods like social networks.

“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account” – adds Štefanko.

Štefanko also says that, for Android, Twitoor is the first Twitter-based bot malware but other bots have also been spotted to use unusual controlling means likes cloud messaging system and blogs. Moreover, the researcher says that back in 2009 Twitter was used to control botnets for Windows and in 2012 Flashback Trojan which was targeting Macs, was designed to use Twitter as a C&C mechanism.

According to experts, it won`t take long before crooks start using Facebook, LinkedIn and other social networks for their malicious actions. For now, Twitoor has only been downloading mobile banking malware on the compromised devices but, ESET thinks, it is only a matter of time before its authors switch to other types of malware.

Users are strongly advised to double check before opening URLs send from unknown or suspicious sources. They should also keep up to date their devices` OSs, security software, and all apps.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.