Twitoor first Android malware known to leverage Twitter for command and control

Twitoor, the first Android malware to use Twitter for command-and control-communications, is a downloader program that has been seen dropping banking malware on infected devices.
Twitoor, the first Android malware to use Twitter for command-and control-communications, is a downloader program that has been seen dropping banking malware on infected devices.

Researchers have found the first known Android mobile malware to use a Twitter account, rather than a traditional command-and-control server, to control infected devices.

According to an ESET blog post, the malware, dubbed Twitoor, is a dropper program designed to periodically check in with a maliciously registered Twitter account in order to receive instructions for actions such as downloading secondary payloads and switching to another account.

“Using Twitter instead of command-and-control servers is pretty innovative for an Android botnet,” said Lukas Stefanko, the ESET malware researcher who discovered the malicious app, in a company blog post.

Thought to be distributed via SMS or malicious URLs, Twittoor typically disguises itself as a porn player app or MMS application, but in reality it has been used to download several versions of mobile banking malware (ESET did not specify which one). The malware has been active for around a month, ESET noted, and has the ability to recruit devices into an Android botnet.

There are several reasons cyber-criminals would prefer malware to receive its instructions via Twitter: a C&C server's communication process is more conspicuous and detectable, and if C&C servers are seized by authorities, it could expose the entire botnet, ESET explains. Meanwhile, Twitter communication channels “are hard to discover and even harder to block entirely [and] it's extremely easy for the crooks to redirect communications to another freshly created account,” Stefanko explained in the blog post.

Of course, there are downsides to utilising Twitter from a malware distributor's perspective. “The primary disadvantage is that Twitter is a centrally managed site, which means that if the powers that be at Twitter figure out what's going on and understand the identifiable patterns for this botnet's communications, there is a very high probability that they will stop it,” said Lysa Myers, security researcher at ESET, in an email interview with SCMagazine.com. “This could create a 'whack-a-mole' situation in which the bot's author and Twitter fight for control of the C&C, or it could simply end the botnet,” she continued.

While Twittoor represents a new evolutionary step in Android malware, Twitter has been used since 2009 to communicate with malware and control botnets in Windows machines, ESET noted. “The return on investment for Windows malware is significantly greater than Android at the moment, as the landscape is much more homogenous and well-understood. [But] as more and more people use mobiles as their primary or sole computer, this is changing. So tactics that have worked well for Windows malware are being brought over for Android threats,” said Myers.