Researchers Discover Android Mobile Botnet 100k Strong

A newly discovered malicious application circulating on third party Android markets in China has created a botnet that contains more than 100,000 compromised devices, researchers report.

A newly discovered malicious application circulating on third party Android markets in China has created a botnet that contains more than 100,000 compromised devices, researchers report.

Researchers from North Carolina State University and Symantec say the malware, dubbed RootStrap (NC State) installs a known remote access trojan (RAT) named BMaster (Symantec). It is capable of stealing a wide range of information from infected Android devices running versions earlier than 2.3.3 and 3.0, and may be ginning up illilcit profits with premium SMS and telephony scams, according to the report from NC State and Symantec.

Malicious software researches and anti virus companies have observed a sharp spike in the number of malicious programs targeting the Android platform in the last year, as the population of Android devices has skyrocketed. However, botnets are still rare for the mobile world.

The Android botnet is mostly confined to China and is the largest such mobile botnet documented to date. With infections that date to September, 2011, the Android botnet sported 11,000 active devices generating revenue for the botmaster as recently as last week. Data from January shows 29,000 active devices, according to Symantec, which analyzed data from a command and control server used by the botnet.

According to Xuxian Jiang of NC State, the RootSmart malware is similar to an earlier AndroidUnlike previous

Android malware, dubbed GingerMaster. Like that malware, RootSmart uses the GingerBreak jailbreak for Android devices that use the Gingerbread version of the Android operating system. Once installed in the guise of the host application, RootSmart fetches the GingerBreak jailbreak and then uses it to elevate its privileges on the device and install both the BMaster remote administration tool and malware from its C&C server, including the DroidLive malware. That infection technique is similar to a proof of concept illustrated by security expert Jon Oberheide in 2010.

Though reliable data on the size and operation of the botnet isn’t available, Symantec estimates that it could generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year for its operators, depending on how many infected devices the botmasters are able to sustain.

RootStrap isn’t the first example of an active, revenue-generating Android botnet, Symantec points out. However, it may be the first that  large enough and profitable enough to rival traditional Windows-based bot networks. That, Symantec points out, means it certainly won’t be the last.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.