A new Android Malware, called Twitoor, has been discovered, which uses a Twitter account for command and control.
A new Android malware has been detected that uses a Twitter account in place of a traditional command-and-control (C&C) server to control the victimized devices. The malware has been named Twitoor by Lukas Stefanko, the ESET malware researcher who discovered it.
Twitoor works as a dropper program which is designed to check in with a maliciously registered Twitter account from time to time. It receives instructions for malicious actions like downloading secondary payloads and changing to other accounts from the malicious Twitter account.
The malware is believed to be distributed through common attack agents like malicious URLs or text messages. Although Twitoor disguises itself as a porn player app or an MMS application, it is primarily being used to download different versions of mobile banking malware. The malware, according to ESET, has been active for over a month, and can recruit devices into an Android botnet.
This move by hackers to leverage Twitter rather than a C&C server for creating an Android botnet is understandable. Twitter communication channels are difficult to discover and much harder to block entirely. Moreover, it is also quite easy for hackers to switch to freshly created Twitter accounts for their purpose. C&C channels, on the other hand, have a communication process for their servers that is much more detectable and conspicuous. Also, the entire botnet could be shut down in case the C&C servers are seized.
While it is easy to understand why hackers chose Twitter as their mode of attack, one must also mention that there are disadvantages to taking this approach as well. Since Twitter is a centrally managed service, there is a high probability that a botnet is shut down if the security personnel discover it and understand the pattern behind its communications. It could either result in a battle between Twitter personnel and the hackers for control over the botnet, or shut down the botnet completely.
Twitoor is another addition to the growing list of Android malware. The mobile operating system is being targeted by hackers quite a lot because of its huge user base. As for using Twitter to communicate with malware and for controlling botnets, this is nothing new, for the same technique has been used in Windows machines since2009.
Windows’ landscape is a lot more homogenous and well-understood, and the return on investment has been quite high as well. However, with more and more people using their mobile devices more than their computers, mobile devices and their operating systems are being targeted more heavily than was previously the case. It is the reason why the tactics that have been used on Windows for a long time are now being tried on mobile devices.