Android backdoor exploited

A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.

Dubbed Android/Twitter, the malware works by downloading other malicious applications onto the infected devices. Researchers say that it is active for about a month. Fortunately, the threat isn’t spreading through official Android storefronts, but through SMS or malicious URLs that they use to send to their victims.

After its launch, the malware hides its presence on the infected device. After it positions itself it starts checking a defined Twitter account at regular intervals for commands. Researchers discovered that depending on the commands it receives, the backdoor can be used in two different ways. It can either download malicious applications onto the compromised device or can switch to a different C&C Twitter account.

ESET explains that malware that turns devices into botnets requires communication with a C&C server to receive updated instructions and that this communication could raise suspicion from users. Moreover, they explain that, when those seized servers tend to disclose information about the entire botnet.

Making the decision to encrypt the transmitted messages, was the way for the malware authors to ensure that Twitter botnet’s communication was more resilient. They also used complex topologies of the C&C network and new communication methods, such as social networks.

To stay protected they advise cautiousness when opening URLs they receive from untrusted sources. They should also make sure that they keep their device’s operating system and applications updated at all times.