Thousands of Android devices used in Google Play Store malware attack

Thousands of Android devices used in Google Play Store malware attack

Google has blocked and started removing completely hundreds of apps from its Play Store after they were discovered to have been used to orchestrate distributed denial of service (DDoS) attacks. It is understood by Now Gadgets that in the region of 300 apps have been removed by the search engine giant, responding to a widespread attack against Content Delivery Networks (CDN) on August 17 2017. Following a joint effort with cyber-security researchers, Google said:

Thousands of Android devices used in Google Play Store malware attack
Thousands of Android devices used in Google Play Store malware attack

Thousands of Android devices used in Google Play Store malware attack

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices…”

The malicious nature of the apps, many of which have been available on the popular Android app store for a number of weeks, was discovered by researchers working at Akamai. The team at the cloud services provider found that once installed, malware within the apps aggressively hijacked the Android device they were loaded to. It is further understood that the malware was then activated to drive traffic for the “WireX” botnet. Operational whenever the infected device was switched on, WireX has affected potentially millions of IP addresses of CDN companies and organisations across the world.

The apps affected are varied and appear to be as genuine as any other. Ranging from simple ringtone galleries to phone and tablet storage services and media playing dashboards they were to be found in a number of categories on the Play Store. Though attacks could only be launched from a device when it was switched on, the infected app itself did not necessarily have to be open. The botnet was also able to continuously attack if the device screen was locked and launched their attacks in different ways depending on what app it was attached to.

With work continuing to remove the rogue army of apps, the tech giant and the team working on the problem has warned that tens of thousands of handsets and other devices in hundreds of countries will be affected because of the range of apps coded with the malware. Google has re-iterated and issued advice that the malicious apps also need to be removed from each infected device to minimise further attacks. It is now working to do this, saying:

“The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”

Device owners have been advised that the malware is being recognised as the “Android Clicker” trojan by antivirus software, but explained it is not a click fraud virus itself, but one which has been reformatted to launch DDoS.

DDoS – The basics

Distributed denial of services attacks have been used by criminals for a number of years now. Working to overwhelm an organisation’s servers by sending huge data sets through thousands of ‘visitors’ to a site, they effectively shut down any target’s online and digital presence and can affect daily operations within the company preventing it from delivering its services or products.

Collaboration called for

A collaborative effort from a number of teams are working to investigate how far spread WireX is. Alongside the team of researchers at Akamai and Google, it is understood that there are also specialists from Cloudflare and Flashpoint involved. Team Cymru, Oracle Dyn and RiskIQ and other organisations are also lending support and resources to fight the botnet and accelerate the investigation which has now picked up pace.

The unit heading the operation issued a statement, saying:

“Once the larger collaborative effort began, the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system,”

Thousands of Android devices used in Google Play Store malware attack


Google and the research team have also called on other organisations to help – not only with the ongoing investigation but to also prevent other attacks. The team has called for a joint-effort through the sharing of metric information about any DDoS attacks an organisation has faced. Collated and analysed, such information and the wealth of data held within it would allow greater understanding of how such attacks work which would allow systems, practices and tools to be developed to prevent and better counter future attacks.

Rahul Solanki

Rahul is a gadget lover and love to write about gadgets, mobile apps, and latest phone reviews. He owns several blogs <a href="">Now Gadgets</a>. He also likes to write on how to make money, gadgets, Bollywood review and much more...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.