A backdoor Trojan named Twitoor is the first instance of Android malware that receives its commands from a Twitter account.
Keeping their botnet out of law enforcement’s and other criminals’ hands is imperative for botmasters if they want to keep earning. C&C servers are the norm, but they can be tracked down, seized by the authorities and, ultimately, reveal crucial information about the botnet, allowing them to shut it down or cripple it.
Twitter or other social media accounts as C&C sources offer way more flexibility.
“It’s extremely easy for the crooks to re-direct communications to another freshly created account,” says ESET malware researcher Lukáš Štefanko. “In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks.”
He believes that the Twitoor backdoor is spread via SMS or malicious URLs, as there are no traces of it on Android app stores. It is usually hidden inside what professes to be a porn player app or MMS application.
Once it infects the target device, it hides itself and contacts the C&C Twitter account every so often.
Via that Twitter account, the botmaster tells it to switch to another C&C account, or to download additional malware.
According to Štefanko, the botnet is currently used to saddle infected users with mobile banking malware, but the malicious payload can be changed at any moment – it all depends on who rents the botnet to spread their malicious wares.