ESET researcher Lukas Stefanko revealed details about an Android app that targeted the ESET website with DDoS attacks. Briefly, the app dubbed as “Updates for Android” appeared on the Play Store as a news update app. It linked back to the website i-updater[.]com that looked promoted the app.
It apparently looked and remained pretty harmless, consequently earning thousands of downloads. However, according to ESET analysis, the only malicious trait in this app was its ability to load and execute malicious JS on the target device. Initially, this ability was not present in the app when it first appeared online in late 2019. Hence, it avoided any checks by Google Play Store’s security.
However, following a recent update around two weeks ago, the app received this ability. As a result, it turned the devices of all its users into its botnet. The app started downloading malicious JavaScript from the attacker’s server to run on users’ devices. Also, it displayed ads on the devices via device browsers and hid app icon. However, the ability to execute JS is what the threat actors used to wage a DDoS attack.
Since the app targeted ESET’s website, the researchers quickly detected the source behind the attack.
App is now taken down, Upon detecting the malicious app, ESET got in touch with Google, who eventually removed the app. Though, the researchers stated that the website (i-updater[.]com) remained up as it was not malicious. However, when LHN checked the website, it merely appeared a blank page. Even the page source did not show any text besides some codes for site layout. It means that either the threat actors behind the app are planning to go underground. Or, they have merely flashed the site to rebuild it again in a new manner.