News App from Google Play Targeted ESET with a DDoS Attack

A popular malware protection and Internet security company ESET was subjected to a distributed denial-of-service (DDoS) attack back in January of 2020.

While a cyberattack of such nature on a big company of such stature is hardly surprising, the method used by miscreants to carry out the attack is quite remarkable. The attack was facilitated by an “Updates for Android” app, which got more than 50,000 downloads and a 4.3 rating on Google Play. 

The application offered its users the latest news for free, and after building up enough trust turned malicious by loading JavaScript from an attacker-controlled server and executing it on user devices to flood ESET’s website with foul traffic.

The Anatomy of The Attack on ESET In Short

Reportedly, the attack counting more than 4,000 unique IP addresses lasted for 7 hours. 

Researchers identified the app, which was first uploaded on Play Store back in September of 2019. At first glance, it was an app that’s sole purpose was only to display a feed of daily news, but in reality, the app received commands from a command and control server every 150 minutes, providing device ID.

Additionally, the commands would allow to hide the presence of the app from the user, display ads in the default web browser, and execute JavaScript, connecting the targeted devices to the target website, thus making a denial-of-service attack possible.

As ESET researchers found out during their investigation, five more websites (mostly e-commerce and news sites from Turkey) were targeted.  

ESET company was able to resolve the issue and notify Google about the occurrence. The app was hastily removed from Google Play, but a website that promotes the app in hand is still up and running. Understandably, the website “i-updater[.]com” is blocked from viewing to ESET customers.

It should also be noted that the app can still be found on the unofficial app stores. To find out why third-party platforms pose an increased threat, you can look over our recent blog post, called “Facts To Know About Android EventBot Malware”. 

What We Can Learn from This Incident

First and foremost, the app would probably abuse even more devices if it wasn’t for ESET’s intervention. The targeted e-commerce and news websites also could have suffered continuous attacks to this day.

The situation around “Updates for Android” showcases how a malicious app can slip through the cracks of Google Play and do real damage without getting on the radar of the market without a third party pointing out the threat. As ESET’s report states, the app turned malicious two weeks before the actual attack. 

The recommendation here would be to keep yourself away from apps that automate a task you would be able to perform yourself in a more controlled and moderated environment. There’s less risk in checking the news on the well-trusted websites, not applications with dubious motives. The indications of suspicious motives of the app could be sensed upon reviewing its website. 

The first red flag is a registered domain “i-updater[.]com”. The second red flag is the content on the website, or the lack of it, in this case. From the main page, we can see that “Android Updates” is “faster, simpler, functional” [sic] and highlights that it is only 3MB. 

It does not look like a lot of effort has been put in that page, or the wording to promote the app, which is actually for the better. Lastly, the app itself had nothing to do with actual Android updates, as if its makers changed their mind along the way, but decided not to change anything.

Rating and reviews on Google Play also did not seem authentic, as the second most popular rating was “1”, not an in-between grade. It is also worth remembering that downloading a malicious application might not only compromise the security of your device but also cause real financial and reputational damages to entities that did nothing wrong. 

If you want to stay informed about the latest happenings in the world of cybercrime, consider checking out StealthMail’s news digest.

Please be cautious and stay safe!