A new strain of mobile malware has been discovered that uses Twitter to control a botnet comprised of Android phones and tablets.
Known as Twitoor, the Trojan is believed to be the first to use the social network to coordinate infected devices instead of a command-and-control (C&C) server.
After the malware is downloaded, it hides and regularly checks in with a malicious Twitter account for commands. These instructions direct the Trojan to either download and install additional malicious applications -- mostly data-stealing mobile banking malware -- or to switch to a different C&C Twitter account.
"Using Twitter instead of command-and-control servers is pretty innovative for an Android botnet," says Lukáš Štefanko, the ESET malware researcher who discovered the malicious app.
The malicious Twitoor app, which is thought to have been operating for around a month, can't be downloaded through the Google Play store. Researchers therefore suspect that it's spread via text messages or malicious URLs, impersonating a messaging application or a porn player in order to trick users into downloading the malware.
Device-enslaving botnets are favored by cybercriminals. However, a botnet sending instructions from a single server farm is potentially detectable, as in the right hands information about those servers can be used to track down the perpetrators and eventually shut the botnet down.
That weakness makes the Twitoor Android botnet more resilient than an average botnet, as the command-and-control operations can continually be switched from one Twitter account to another in order to evade detection. Those behind the malware have also taken additional steps to safeguard Twitoor, including encrypting messages to further obfuscate their activities.
"These communication channels are hard to discover and even harder to block entirely. On the other hand, it's extremely easy for the crooks to redirect communications to another freshly created account," says Štefanko.
While botnets aren't a new threat -- on Windows, Linux or Android devices -- the nature of Twitoor represents an evolution in how such networks are run. ESET researchers suggest the technique could even be used to distribute ransomware.
"Twitoor serves as another example of how cybercriminals keep on innovating their business," says Štefanko.