Fake Google Play App Uses Infected Phone to Launch DDoS

Russian anti-virus vendor Doctor Web (Dr. Web) is now warning Android device customers about a recently discovered app that can unknowingly turn a smartphone into a platform for launching DDoS attacks.

Although the security firm didn't reveal the actual listed name of the malicious app, it's called "Android.DDoS.1.origin" in the report, and is based out of Russia. Once the app in question is downloaded and installed on an Android smartphone, it's disguised as the Google Play icon. It even connects the user to Google's virtual storefront when launched.

But as Android users browse the virtual isles of Google Play, the app secretly connects to its command and control server and uploads the infected device's phone number to the malware authors. These hackers in turn issue commands to the fake Google Play app using text messages.

"Supported directives include attack a specified server and send SMS. If criminals want the Trojan to attack a server, a command message will contain the parameter [server:port]," the firm reports.

If the app receives a command to attack a server, it will then begin flooding a specific address with data packets. If the malicious app is required to send SMS messages instead, the command message will contain both the message text and the number of a specific destination.

"Activities of the Trojan can lower performance of the infected handset and affect the well-being of its owner, as access to the Internet and SMS are chargeable services," the firm said. "Should the device send messages to premium numbers, malicious activities will cost the user even more."

Dr. Web is still trying to determine how this malware is being spread, but there's no indication that it's residing on Google Play as suggested by other reports. It's likely offered on 3rd-party Android markets meant for devices that don't provide Google-based services like Google Play and Gmail. The firm said criminals are likely employing "social engineering tricks" in addition to disguising the malware as a legitimate application from Google.

"It is worth noting that the code of Android.DDoS.1.origin is heavily obfuscated," the security firm said. "Given that the Trojan can carry out attacks on web sites and send various text messages to any number, including those of content providers, we can assume that the malware can also be used to conduct illegal activities for third parties (e.g, attack a competitor's site, promote products with SMS or subscribe users to chargeable services by sending SMS to short numbers)."

This new Android malware is still under investigation, so stay tuned.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
    They probably invented it.
  • wildkitten
    LORD_ORIONThey probably invented it.

    You're likely right.

    One of the ways these malware apps get spread isn't neccessarily on 3rd party app stores, but on Android forums. Just a couple of days on the Phandroid forums for my phone model, someone was requesting the APK of the Google Play app. Had the person responding been someone who wanted to spread this malware, the person wanting it would have got the infected version, all the while assuming they were getting a good link from a respected Android community.
  • reprotected
    As you can see, this is clearly an anti-Google pro-Apple article. The virus was probably made by Dr. Web, sponsored by Apple who also paid this pro-Apple editor to write this article and post it on pro-Apple website Tom's Hardware. WE'RE NOT FALLING FOR YOUR TRICKS!!!!!!