Attackers use Twitter to manage malware for Android

Our experts have discovered an interesting instance of malware for Android, which is detected by ESET AV products as Android / Twitoor . The peculiarity of this trojan is that it is controlled by attackers using the Twitter microblogging service. Twitoor contains backdoor features and specializes in downloading other malware onto the device. The malicious application Twitoor is distributed using phishing SMS messages or fake links. It disguises itself as a porn player or as an application for sending MMS messages. After its launch in the system, Twitoor hides its presence there, and then regularly checks the activity of one of the accounts on Twitter.

The messages in this Twitter account are commands that target the Twitoor Trojan. We found two types of such commands: the first is used to download other malicious applications, and the second is to switch the account on Twitter. One way or another, malware needs to interact with the C & C server manager and receive instructions from it. This bot activity is its weak point, as the passing traffic is an obvious indicator of malicious activity. On the other hand, the C & C server of the malware can be dismantled by law enforcement.


Account intruders on Twitter, as well as messages for the bot.

To create a more reliable channel when interacting with a Trojan with its C & C server, the authors of Twitoor took a number of steps, for example, using message encryption, and can also send the Twitter account switching function to Twitter. The second measure allows attackers to quickly switch the bot to receive new instructions in the event that the current account has been blocked.
')

Requested by malicious application rights.

Today, Windows malware is already known, which used Twitter as a management tool. One such malware was discovered in 2009. In the case of Android malware, previously, malware was also observed using non-standard control channels, including blogs or some instant messaging services from Google or Baidu.

We have seen Android / Twitoor downloads of banking Trojans for Android.