Android users generally assume Google’s Play Store is safe to use since the tech giant scans all its apps to ensure none contain malware. Every once in a while, however, hackers manage to get malicious apps past Google. Recently, according to reports, Google had to remove 300 apps from its Play Store as they were found to be using Android devices to launch distributed denial of service (DDoS) attacks.

Hijacking Phones for Large-scale DDoS Attacks

The apps Google removed were seemingly harmless: video players, storage managers, and so on. As it turns out, they were merely masquerading as legitimate apps, when in reality they were hijacking users’ phones to use them as part of a DDoS botnet.

The botnet caught the attention of content delivery network Akamai after being used to assault one of its clients, a hospitality company, with traffic from hundreds of thousands of different IPs. Dubbed WireX, the botnet is said to have been active since around August 2, but was only discovered on August 17. In some of its attacks it also asked for ransom fees.

After discovering the threat, Akamai teamed up with Google and several security researchers from companies including Cloudflare, RisIQ, Team Cymru, and Flashpoint to investigate and solve the issue. The findings, according to a Google spokesperson, led to a large number of apps on the Play Store:

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices. The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”

These apps could use infected devices for DDoS attacks as long as they were powered on. It is not clear how many were infected, but Akamai told journalist Brian Krebs that up to 70,000 devices could have been compromised. Researchers believe the botnet had managed to infect devices in 100 different countries.

In one occurrence, according to Gizmodo, WireX emailed the organization it was attacking, demanding a ransom. Cybercriminals have been pushing different types of ransomware lately, as The Merkle recently reported on a Chinese underground app that allows anyone without coding skills to create custom ransomware.

Google is now handling the apps that infected Android users by removing them both from its Play Store and from affected devices. It is unclear how long that will take.

WireX’s origins

Researchers believe WireX likely began as a distributed method of “click fraud,” a form of fraud that occurs when malicious scripts or programs imitate a legitimate user clicking on ads in order to generate revenue. According to reports, multiple antivirus tools currently detect WireX as a click fraud malware, not as a DDoS botnet.

At some point, WireX’s administrators decided to use their expertise to turn WireX into a DDoS botnet. It was able to generate what appeared to be legitimate internet traffic, as it included what was named a “headless” web browser that could do everything a real browser does without displaying its interface to the user on the infected device.