Have you ever thought that a botnet of Android devices could be controlled via Twitter? This is no longer a theory because it has already happened, as disclosed by researchers at ESET. The botnet, dubbed Android/Twitoor or just Twitoor is employed to spread control messages to compromised handsets. Currently, the payload of the operation is banking malware.
Android/Twitoor: Technical Overview
Android/Twitoor is a backdoor capable of downloading other malware onto an infected device, researchers say.
According to ESET, the botnet has been active for around a month. The app can’t be found on any official Android app store, so it’s very likely that the botnet spreads via SMS or via malicious URLs.
In addition, it masquerades as a porn player app or MMS application it doesn’t have that functionality.
How is the attack carried out? The Twitoor trojan would check Twitter accounts at specified intervals for new commands. Then, botnet operator would tweet out instructions, interpreted by the Trojan and transformed into malicious actions.
Lukáš Štefanko, the ESET malware researcher who discovered the malicious app, says that using Twitter instead of a command & control server is quite innovative for an Android botnet.
Malware that enslaves devices to form botnets needs to be able to receive updated instructions. That communication is an Achilles heel for any botnet – it may raise suspicion and, cutting the bots off is always lethal to the botnet’s functioning.
What is more, if the command & control server is detected by the police, it would reveal more information about the botnet and its operations.
To make the Twitoor botnet’s communication more resilient, botnet designers took various steps like encrypting their messages, using complex topologies of the C&C network – or using innovative means for communication, among them the use of social networks.
A specific feature of the Android/Twitoor allows it to switch the Twitter C&C accounts to a new account wherever needed, which makes it even more dangerous. According to Štefanko, the botnet is currently deployed to spread banking malware, but the malicious payload can be changed depending on the crooks’ agenda.
Lukáš Štefanko expects that malware operators would move on to other social networks like Facebook or LinkedIn to deploy the botnet.