Android app promised to serve news updates, served ESET with a DDoS attack instead

The app managed to slither into Google Play and was downloaded at least 50,000 times.
Written by Charlie Osborne, Contributing Writer

ESET has been forced to fend off a DDoS attack facilitated by a malicious news app hosted in the Google Play Store. 

On Monday, ESET researcher Lukas Stefanko described how the app, named "Updates for Android," promised users a free daily news feed. The app appeared to gather good reviews with an overall score of 4.3, but secretly, the software was creating a bot of slave devices in order to launch Distributed Denial-of-Service (DDoS) attacks. 

First uploaded to Google Play on September 9, 2019, the Android app proved popular and accounted for over 50,000 installs at its peak. 


Updates for Android posed as legitimate software by offering some news feeds and only introduced functionality that could be abused for malicious purposes in its most recent update. 

"We don't know how many instances of the app were installed after the update or were updated to the malicious version," ESET noted. 

See also: Logistics giant Toll Group hit by ransomware for the second time in three months

The functionality in question is the "ability to load JavaScript from an attacker-controlled server and execute it on the user device," according to the researchers. As this feature was a late addition and only appeared two weeks before the attack, the team says this explains why the app managed to circumvent Google Play's security controls. 

Following its update, the malicious app pinged a command-and-control (C2) server belonging to its operator for commands every 150 minutes. The ID of each device with an active install of the app was also forwarded to the server. 

ESET says the app was able to display ads in the mobile device's default browser -- going beyond the standard in-app ads, potentially for the purpose of ad fraud -- as well as hide its icon and execute arbitrary JavaScript supplied by the C2.

It was a JavaScript command that was used for the DDoS attack on ESET's website, leading to a flood of inauthentic traffic. 

The DDoS attack launched against the eset.com website took place in January this year. The cybersecurity firm says that the DDoS assault lasted for roughly seven hours using over 4,000 unique IP addresses, with thousands of instances originating from active Updates for Android installations. 

CNET: COVID-19 could set a new norm for surveillance and privacy

Only a small number of user devices appear to have been involved in the DDoS attack against the cybersecurity firm. However, ESET says that tracking the C2 revealed other scripts being served in attacks against e-commerce and news websites -- many of which are based in Turkey. 

ESET tracked the source of the DDoS and informed Google of its findings. The app has now been removed from Google Play. 

TechRepublic: Kaspersky: 73% of workers have received no cybersecurity guidance

"Detecting this kind of malicious functionality is not easy, as the very same technique (of course, without any malicious JavaScript being loaded) is used by dozens of legitimate Android software development kits and frameworks," the researchers noted. "This means that any plain detection based on such code would result in lots of false positives."

Updates for Android has a corresponding website, i-updater[.]com, which remains active as the domain itself is not malicious and, therefore, there are no current grounds for a takedown request. The malicious app is also still available on third-party, unofficial app stores.

ZDNet has reached out to Google and will update when we hear back. 

The biggest Internet of Things, smart home hacks of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards