Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday August 26 2016, @11:34AM   Printer-friendly
from the checks-and-balances dept.

Twitter users aren't the only ones checking the microblogging service for important updates. Android malware is starting to do so, too.

One maker of Android malware is using Twitter to communicate with infected smartphones, according to security firm ESET.

The company discovered the feature in a malicious app called Android/Twitoor. It runs as a backdoor virus that can secretly install other malware on a phone.

Typically, the makers of Android malware control their infected smartphones from servers. Commands sent from those servers can create a botnet of compromised phones and tell the malware on all the phones what to do.

The makers of Android/Twitoor decided to use Twitter instead of servers to communicate with the infected phones. The malware routinely checks certain Twitter accounts and reads the encrypted posts to get its operating commands.

Lukas Stefanko, an ESET researcher, said in a Wednesday blog post that this was an innovative approach.  It removes the need to maintain a command and control server, and the communications with the Twitter accounts can be hard to discover.

"It's extremely easy for the crooks to re-direct communications to another freshly created account," he said.

[...] So far, Android/Twitoor has been found downloading versions of mobile banking malware to users' phones.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday August 26 2016, @12:07PM

    by Anonymous Coward on Friday August 26 2016, @12:07PM (#393441)

    Using twitter is about as "innovative" as using noip or pastebin or tinyurl or any other service that tends to be highly available.

  • (Score: 2) by TheRaven on Friday August 26 2016, @12:54PM

    by TheRaven (270) on Friday August 26 2016, @12:54PM (#393454) Journal
    It's also completely stupid, because you've handed control over to someone else. Twitter T&Cs allow them to unilaterally terminate your service for no reason, so as soon as anyone realises that this is happening then Twitter can shut it all down for you.
    --
    sudo mod me up
    • (Score: 2, Informative) by Anonymous Coward on Friday August 26 2016, @02:16PM

      by Anonymous Coward on Friday August 26 2016, @02:16PM (#393483)

      True, but this malware checks multiple accounts, and I would assume it can update it's list of accounts to check, so it's going to be a cat and mouse game so it's not as simple as just shutting off one account.

      • (Score: 2) by TheRaven on Monday August 29 2016, @09:13AM

        by TheRaven (270) on Monday August 29 2016, @09:13AM (#394555) Journal
        Not really. One of my colleagues took down a botnet by analysing the code, identifying the next C&C server domain, and registering it before the botnet author. He was then in the slightly awkward position of being in control of a botnet and having to try to get ethics committee and legal approval to do something with it (like, for example, uninstall the malware. The only thing that they'd approve in the end was displaying a message saying 'you are infected with...'). More modern malware avoids this by having the owner register the domains long in advance, and as long as you've always registered a couple before they're used you can send a new algorithm for generating the names. With this model, if someone works out the algorithm then Twitter can (at no cost to themselves) register every single account that will be generated and send them a shutdown message.
        --
        sudo mod me up
  • (Score: 1, Interesting) by Anonymous Coward on Friday August 26 2016, @01:38PM

    by Anonymous Coward on Friday August 26 2016, @01:38PM (#393468)

    Yeah if I wrote malware I'd try to use search engines to look for new instructions (verified by sigs of course). That way you can post commands anywhere on the Web. Problem of course are captchas. But millions search for famous stars all the time without getting those, so perhaps a combination of actress/actors names and non-related trending stuff might be good enough. Plus some delayed fallbacks e.g. Twitter, Reddit etc

    • (Score: 2, Informative) by Anonymous Coward on Friday August 26 2016, @02:17PM

      by Anonymous Coward on Friday August 26 2016, @02:17PM (#393484)

      There have been malware in the past that did things like search for specific strings on Google or other search engines and link to the server that appeared as the first response. Sometimes they try to cover how they are linking to something using a search engine too.

  • (Score: 0) by Anonymous Coward on Friday August 26 2016, @04:06PM

    by Anonymous Coward on Friday August 26 2016, @04:06PM (#393540)

    Not to mention there've been other botnets that already did this...