sb-as logo
Story image

ESET discovers new Android botnet controlled by Twitter

ESET has discovered the first-ever Twitter-controlled Android botnet. 

According to the security firm, reseaerchers have discovered an Android backdoor Trojan that is controlled by tweets.

Detected by ESET as Android/Twitoor, it’s the first malicious app using Twitter instead of a traditional command-and-control (C&C) server, the company explains.

After launch, the Trojan hides its presence on the system and checks the defined Twitter account in regular intervals for commands.

Based on received commands, it can either download malicious apps or change the C&C Twitter account to another one.

“Using Twitter to control a botnet is an innovative step for an Android platform,” says Lukáš Štefanko, the ESET malware researcher who discovered the malicious app.

According to Štefanko, communication channels based on social networks are hard to discover and impossible to block entirely, while simultaneously being extremely easy for the crooks to re-direct communications to another account.

Twitter was first used to control Windows botnets in 2009. 

“As for the Android space, this means of hiding has remained untapped until now. In the future, however, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks,” says Štefanko.

Štefanko says Android/Twitoor has been active since July, 2016. It can’t be found on any official Android app store, but probably spreads by SMS or via malicious URLs.

It impersonates a porn player app or MMS application but without the functionality, Štefanko explains. Instead, it has been downloading several versions of mobile banking malware.

However, the botnet operators can start distributing other malware at any time, including ransomware, according to Štefanko.

“Twitoor serves as another example of cyber criminals innovating their business. Internet users should keep on securing their activities with good security solutions for both computers and mobile devices,” says Štefanko.

Story image
SMBs in SEA region threatened by vastly increasing rates of cryptomining
According to Kaspersky's latest report, the global cybersecurity company has detected 1,726,799 mining attempts in the first half of this year targeting SMBs in SEA.More
Story image
Just one click – that’s all it takes to let in cyber-crime
So how do organisations ensure that users are not compromised by simply doing their work?  The answer is surprisingly simple, writes Bufferzone Security business strategist for A/NZ Greg Wyman.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More
Story image
Metallic adds data management and GDPR compliance
Now GDPR compliant, additions to the portfolio include eDiscovery features and support for Microsoft Hyper-V and Azure Blob and File storage.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More