A new type of malware that uses social media accounts instead of command-and-control (C&C) servers has been discovered by ESET researchers.
The virus, called Twitoor, is a backdoor capable of downloading other malware onto an infected device by hiding on the smartphone and checking Twitter for commands.
Researchers say it has been active for less than a month and would not have been downloaded from the Google Play store. They say it is likely spread by SMS or malicious URLs.
It has only been used, so far, to download mobile banking malware. It can also change which Twitter accounts it receives commands from.
"Using Twitter instead of C&C servers is pretty innovative for an Android botnet," says Luk'as Stefanko, the researcher who discovered the app.
He explains other malware needs to 'enslave' devices to form botnets to be able to receive commands, and: "That communication is an Achilles' heel for any botnet - it may raise suspicion and, cutting the bots off is always lethal to the botnet's functioning."
However, Stefanko says using social media as a communication channel makes it harder to discover and difficult to block.
The research firm says there was a similar instance where Twitter was used to control botnets on Android in 2009, but Twitoor is the first Twitter-based bot malware.
"In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks."
The app that stores the malware likely impersonates a porn player app or MMS application, but without having their functionality, he concludes.
The research firm has not said how to tell if a device is infected or how to remove the virus.
Share