Cyber Incident Victim: ESET
Date:
Jan 2020
Location:
Slovakia
Summary
A malicious Android app disguised as a news service distributed via Google Play covertly enslaved devices into a botnet that conducted a distributed denial-of-service attack against ESET's website. The application, installed thousands of times, executed attacker-controlled JavaScript to periodically communicate with command servers and also surreptitiously displayed advertisements while concealing its presence. Security researchers identified the threat, leading to the app's removal, though associated infrastructure remained operational post-takedown.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2019, the malicious Android application "Updates for Android" was uploaded to the Google Play Store, presenting itself as a legitimate service offering free daily news updates to users. The app accumulated approximately 50,000 installations before its removal. Initially appearing benign, the application later introduced an update that embedded hidden malicious functionality, leveraging JavaScript code executed from an attacker-controlled server to bypass Google Play’s security mechanisms. This update enabled the app to covertly transform infected devices into bots within a distributed network. The malware established communication with a command-and-control (C2) server, transmitting device identifiers at 150-minute intervals while concealing its presence by removing the app icon from users’ devices. Additionally, the app triggered unauthorized advertisements within the device’s default web browser, generating revenue for the attackers through fraudulent ad clicks without user consent.
On January 1, 2020, the compromised devices were activated to execute a sustained Distributed Denial-of-Service (DDoS) attack targeting ESET’s primary domain, eset.com. The attack lasted seven hours and involved more than 4,000 unique IP addresses associated with infected devices. ESET’s security researchers, led by Lukas Stefanko, detected and analyzed the attack traffic, tracing its origin to the malicious app. The investigation revealed the app’s operational infrastructure, including the active C2 domain i-updater[.]com. ESET promptly notified Google, resulting in the app’s removal from the Play Store. The incident highlighted technical challenges in identifying such threats, as the malware employed JavaScript execution—a technique also used legitimately by many applications—to evade detection. No data theft or secondary payloads were reported, but the attack demonstrated the potential scale of DDoS operations orchestrated through compromised mobile applications distributed via official app stores.