On October 30th, Cloudfare data identified a strange website that briefly surpassed Google as the most popular website globally. However, it wasn’t a website at all – It was a massive command-and-control server that was controlling at least 1.8 million Android devices in order to use them for nefarious purposes.
Known as Kimwolf, the botnet is now considered to be the largest of its kind (so far) and shares codebase with the previous recordbreaker, Aisuru. Though both botnets use malware to infect vulnerable devices and rely on an APK file to load and start during runtime, the threat actors learned from Aisuru and included additional features in Kimwolf to better evade detection. Capable of various malicious activities including typical DDoS attacks, it also uses proxy forwarding which allows the attackers to conceal their location and lets them bypass IP-based geo-restrictions and blacklists.
There’s also a reverse shell in the malware which gives the attackers command line access to the infected devices. This means they can run arbitrary commands or deploy additional malware on compromised devices. Likewise, they can also upload, download or modify files between devices.
Researchers at Xlab infiltrated the Kimwolf botnet in order to learn more about how it works and its scale. According to their findings, it appears to target Android devices, specifically those that are not certified by Google – which lack the search giant's extra protections like dirt cheap set top boxes and tablets. Xlab says the Kimwolf botnet seems to consist of infected Android tv boxes on residential networks distributed across 222 countries. Their IP addresses are located in Brazil (14%), India (12.7%), and the United States (9.5%) with the remainder in (respectively) Argentina, South Africa, the Philippines, Mexico and China.
How to avoid becoming mixed up in a botnet
The recommendations her are simple: Users should avoid purchasing uncertified, off-brand Android devices, set strong passwords, update their firmware as soon as possible, and only download apps from known and trusted developers.
If you wants to stay safe, don't buy AOSP-based Android devices like off-brand TV boxes that lack official Google Play Services support. Additionally, always keep your firmware updated and install the latest security patches as soon as they become available on whichever of the best streaming devices you're currently using.
Google spokespeople have frequently advised us that "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Users should ensure Google Play Protect, Android’s malware protection that is one by default on devices with Google Play Services, is enabled.”
At the same time, you also want to avoid sideloading apps and stick to only using ones from the Google Play Store and other official app stores. Likewise, Android TV devices can have their remote access features disabled when not in use, which takes them offline. This can provide an extra layer of security to help protect your devices and the data on them if they've unknowingly become part of a botnet
It might also be worth investing in one of the best Wi-Fi routers or the best mesh Wi-Fi systems with security software built-in. While the best antivirus software can keep your PC safe from malware, network-wide security solutions like Netgear's Armor or TP-Link's HomeShield protect all of the devices connected to your home network from viruses and other threats. If you want our recommendation for the best official Android TV box out there, we still really like the Nvidia Shield (even though it's an older model).
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
- Microsoft accounts are under attack by hackers - here's how to stay safe from this age-old tactic
- Multiple Firefox add-ons infected with 'GhostPoster' malware — how to stay safe
- 200 million records exposed in massive Pornhub data breach — here’s what we know so far
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
