Chinese security firm Qihoo 360’s Netlab researchers discovered a new campaign targeting Android devices by co-opting them into a botnet with the sole aim to carry out DDoS (distributed denial of service) attacks.
Netlab is the networking security division of Qihoo 360. The fledging malware has been dubbed Matryosh, and the campaign was discovered this week. It is currently affecting Android devices only.
“Matryosh has no integrated scanning, vulnerability exploitation modules, the main function is DDoS attack, it supports tcpraw, icmpecho, udpplain attacks,” Netlab researchers wrote.
Matryosh Reusing Mirai Botney Framework
According to Netlab researchers, Matryosh DDoS botnet reuses the Mirai botnet framework. It is propagated via exposed ADB (Android Debug Bridge) interfaces for infecting and ensnaring Android devices to enlarge its army of botnets.
It is worth noting that ADB is a command-line tool of the Android SDK. It is responsible for handling communications and letting developers install and debug applications on Android devices. This option by-default is disabled in a majority of smartphones and tablets.
However, some vendors ship phones with this feature activated. Due to this, unauthorized attackers can remotely connect to the device through the 5555 TCP port and exploit it.
Matryosh Uses Tor Network for Hiding C&C Server
Matryosh is a unique botnet as it uses the Tor network for hiding its command-and-control servers. Moreover, it uses a multi-layered process to obtain the server address. This is why it is named Matryosh, which is inspired by traditional matryoshka Russian dolls.
In 2019, malware with a similar name (PirateMatryoshka) was also found targeting users on The Pirate Bay.
Similarities between Matryosh, Moobot, and LeetHozer
Researchers suspect that this botnet could be the work of the same group that created the Moobot botnet in 2019 and LeetHozer botnet in 2020. Several clues reveal similarities between these three botnets. For instance, they are essentially created and used to launch DDoS attacks.
Furthermore, the Netlab research team found functions in code that impact those features that can use the infected devices to launch DDoS attacks through UDP, TCP, and ICMP protocols.
Can you Protect your Device?
It may seem like disabling the ADB feature in the smartphone can resolve the issue. But unfortunately, the problem is bigger than you think because, in most Android devices, such an option is unavailable.
Therefore, many systems might remain vulnerable to exploitation through crypto-mining, DNS hijacking, and the very obvious DDoS attacks.