ESET has been forced to fend off a DDoS attack facilitated by a malicious news app hosted in the Google Play Store.
On Monday, ESET researcher Lukas Stefanko
described how the app, named "Updates for Android," promised users a free daily news feed. The app appeared to gather good reviews with an overall score of 4.3, but secretly, the software was creating a bot of slave devices in order to launch Distributed Denial-of-Service (DDoS) attacks.
First uploaded to Google Play on September 9, 2019, the Android app proved popular and accounted for over 50,000 installs at its peak.
Updates for Android posed as legitimate software by offering some news feeds and only introduced functionality that could be abused for malicious purposes in its most recent update.
"We don't know how many instances of the app were installed after the update or were updated to the malicious version," ESET noted.
The functionality in question is the "ability to load JavaScript from an attacker-controlled server and execute it on the user device," according to the researchers. As this feature was a late addition and only appeared two weeks before the attack, the team says this explains why the app managed to circumvent Google Play's security controls.
Following its update, the malicious app pinged a command-and-control (C2) server belonging to its operator for commands every 150 minutes. The ID of each device with an active install of the app was also forwarded to the server.
