Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Twitoor first Android malware known to leverage Twitter for command and control

Researchers have found the first known Android mobile malware to use a Twitter account, rather than a traditional command-and-control server, to control infected devices.

According to an ESET blog post, the malware, dubbed Twitoor, is a dropper program designed to periodically check in with a maliciously registered Twitter account in order to receive instructions for actions such as downloading secondary payloads and switching to another account.

“Using Twitter instead of command-and-control servers is pretty innovative for an Android botnet,” said Lukas Stefanko, the ESET malware researcher who discovered the malicious app, in a company blog post.

Thought to be distributed via SMS or malicious URLs, Twittoor typically disguises itself as a porn player app or MMS application, but in reality it has been used to download several versions of mobile banking malware (ESET did not specify which one). The malware has been active for around a month, ESET noted, and has the ability to recruit devices into an Android botnet.

There are several reasons cybercriminals would prefer malware to receive its instructions via Twitter: a C&C server's communication process is more conspicuous and detectable, and if C&C servers are seized by authorities, it could expose the entire botnet, ESET explains. Meanwhile, Twitter communication channels “are hard to discover and even harder to block entirely [and] it's extremely easy for the crooks to redirect communications to another freshly created account,” Stefanko explained in the blog post.

Of course, there are downsides to utilizing Twitter from a malware distributor's perspective. “The primary disadvantage is that Twitter is a centrally managed site, which means that if the powers that be at Twitter figure out what's going on and understand the identifiable patterns for this botnet's communications, there is a very high probability that they will stop it,” said Lysa Myers, security researcher at ESET, in an email interview with “This could create a 'whack-a-mole' situation in which the bot's author and Twitter fight for control of the C&C, or it could simply end the botnet,” she continued.

While Twittoor represents a new evolutionary step in Android malware, Twitter has been used since 2009 to communicate with malware and control botnets in Windows machines, ESET noted. “The return on investment for Windows malware is significantly greater than Android at the moment, as the landscape is much more homogenous and well-understood. [But] as more and more people use mobiles as their primary or sole computer, this is changing. So tactics that have worked well for Windows malware are being brought over for Android threats,” said Myers.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.