Researchers have discovered the first known Android mobile malware to use a Twitter account, rather than a traditional command-and-control server, to control infected devices.
According to an ESET, the malware, dubbed Twitoor, is a dropper program that periodically checks in with a maliciously registered Twitter account in order to receive instructions for actions such as downloading other malware on infected device and switching to another account.
This malicious app can’t be found on any official Android app store – it probably spreads by SMS or via malicious URLs. It impersonates a porn player app or MMS application but without having their functionality.
After launching, it hides its presence on the system and checks the defined Twitter account at regular intervals for commands. Based on received commands, it can either download malicious apps or switch the C&C Twitter account to another one.
“Using Twitter instead of command-and-control (C&C) servers is pretty innovative for an Android botnet,” says Lukáš Štefanko, theESET malware researcher who discovered the malicious app.
Malware that enslaves devices to form botnets needs to be able to receive updated instructions. That communication is an Achilles heel for any botnet – it may raise suspicion and, cutting the bots off is always lethal to the botnet’s functioning. Additionally, should the command-and-control (C&C) servers get seized by the authorities, it would ultimately lead to disclosing information about the entire botnet.
To make the Twitoor botnet’s communication more resilient, botnet designers took various steps like encrypting their messages, using complex topologies of the C&C network – or using innovative means for communication, among them the use of social networks.
“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s extremely easy for the crooks to re-direct communications to another freshly created account,” explains Štefanko.
In the Windows space, Twitter (established in 2006) was first used to control botnets as early as in 2009. Android bots have also already been found being controlled via other non-traditional means – blogs or some of the many cloud messaging systems like Google’s or Baidu’s – but Twitoor is the first Twitter-based bot malware, according to Štefanko.
“In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks”, projects ESET’s researcher.
Currently, the Twitoor Trojan has been downloading several versions of mobile banking malware. However, the botnet operators can start distributing other malware, including ransomware, at any time warns Štefanko.
“Twitoor serves as another example of how cybercriminals keep on innovating their business. The takeaway. internet users should keep on securing their activities with good security solutions for both computers and mobile devices,” concludes Lukáš Štefanko.