Security company ESET has discovered the first known Android malware that uses Twitter accounts as its command and control (C&C) server. Named Android/Twitoor by ESET researcher Lukáš Štefanko it has been active for around one month.
Lukáš Štefanko, ESET Malware Researcher said: “Using Twitter to control a botnet is an innovative step for an Android platform. This means of hiding has remained untapped until now. In the future, however, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks.”
The app is not yet available on any official Android store. It is believe to spread via SMS or infected websites. According to the research from Štefanko it appears to look like a porn player or MMS app. Once downloaded by the user it then fails to work. The problem is that the download also includes several versions of mobile banking malware.
Using Twitter to disguise its C&C activity is clever. Security teams regularly look for signs of C&C servers across corporate networks. With the large volume of social media traffic they are unlikely to closely monitor the content of that traffic. Most companies see social media as personal communications. This means that corporate privacy policy also tends to inhibit monitoring of messages.
Cybercriminals have used Twitter before
Security researchers at Arbor Networks discovered Twitter was used to control a Windows-based botnet in 2009. That botnet targeted users of a Brazilian bank. Alex Mathews, EMEA Technical Manager of Positive Technologies commented: “Banking Trojans, along with SMS Trojans, are the most popular malicious programs for Android. An interesting feature of this particular botnet is its use of social network as a C&C, instead of the more usual for attackers own HTTP or IRC servers.
“The choice of such a service has its pros and cons for the attacker, the pros – the obvious convenience of control, high stability and bulletproof of C&C; Cons – if the attacker uses only one account there is a great risk of its blocking and as a consequence of that – the loss of a botnet, if there are no other control mechanisms.”
There have been a number of other cases where Twitter has been used for botnet C&C. Last year security researcher Paul Amar showed that it was possible to use Twitter Direct Messages to control a botnet. Amar said that any botnet would be limited to 100 bot machines. This is due to the daily limits Twitter places on users sending DM’s.
More worrying for Twitter is a report from June 2016. It said that a user created a botnet of 3 million Twitter accounts in a single day. The report questions why Twitter staff didn’t spot a surge in registrations of 35.4 per second. This attack was executed over several months. Twitter IDs were reserved in October 2013 during the first phase. The second phase was the creation of the botnet in April 2014. Other botnets were also discovered that were capable of being used as C&C servers. Amara highlighted that coordinating large numbers of Twitter accounts could easily get around the DM limit.
Conclusion
Using social media to hide C&C messages is a clever move by the authors of Android/Twitoor. IT departments do not always check social media traffic. This means that an infection can spread quickly through an enterprise. Those users with multiple Android devices also run the risk of multiple infections. This will increase the likelihood of the attackers getting the banking information that they want.
Social media owners are already under attack by governments for not doing enough to deal with extremist hate speech and bullying. What they don’t need is to also find themselves under attack for helping to spread malware.
