Known as WireX, the botnet is less than a month old but it has been associated with some fairly large DDoS attacks in its short life. The botnet generates large volumes of HTTP GET requests, along with some POST requests, and the requests are designed to look like legitimate HTTP traffic. Researchers at security firms began seeing attacks from WireX at the beginning of August, but it wasn’t until more recently that it gained wide attention.

“The first available indicators of the WireX botnet appeared on August 2nd as minor attacks that went unnoticed at the time. It wasn’t discovered until researchers began searching for the 26 character User-Agent string in logs. These initial attacks were minimal and suggest that the malware was in development or in the early stages of deployment. More prolonged attacks have been identified starting on August 15th, with some events sourced from a minimum of 70,000 concurrent IP addresses,” a joint blog post from CloudFlare, Akamai, Flashpoint, and RiskIQ on the botnet disruption says.

The attack that really made researchers stand up and take notice, however, came on August 17, when the WireX botnet began flooding CDNs and content providers with large amounts of junk traffic. The attack traffic came from IP addresses in more than 100 countries, something that’s not very common in most DDoS attacks. The traffic also revealed a weird user-agent string that comprised the 26 letters of the English alphabet in some random order.

“The distribution of the attacking IPs along with the distinctive User-Agent string led the researchers who began the initial investigation to believe that other organizations may have seen or would be likely to experience similar attacks. The researchers reached out to peers in other organizations for verification of what they were seeing,” the researchers said.

“Once the larger collaborative effort began, the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system.”

The researchers quickly got to work analyzing the Android app that was being used in the attacks and found that there were a number of different apps that had been compromised and used in the botnet. Some of the apps were found in the Google Play store and other legitimate app stores and the researchers got in touch with the owners of those stores to alert them to the situation. Google quickly searched its app store and removed hundreds of affected apps.

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” Google said in a statement.

The WireX malware was hidden inside many different types of apps, including ring tones and storage management apps. When one of the compromised apps runs on a device, it contacts a C2 server for instructions and then follows the commands.

“The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them. These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use,” the researchers said.

The result of the work by the researchers from CloudFlare, Flashpoint, and the other companies involved is that the WireX botnet was crippled. The collaboration among the organizations shows how quickly things like this can be accomplished when multiple teams tackle the problem together.

“Cross-organizational cooperation is essential to combat threats to the Internet and, without it, criminal schemes can operate without examination,” the researchers said.