Brian Jackson - Fotolia

How are hackers using Twitter as C&C servers for malware?

C&C servers have been replaced with Twitter accounts, which spread the Android Trojan Twitoor to user devices. Expert Michael Cobb explains how to stop this attack.

A new Android Trojan called "Twitoor" was discovered by antivirus vendor ESET, and it has the ability to download...

malicious apps onto devices with instructions received from a command-and-control Twitter account. If discovered, the attackers can easily redirect communications to a new Twitter account. How can users prevent Twitoor from taking over their devices? Could other types of malware use Twitter in a similar way?

Having the ability to send commands to a botnet or to remotely install malware and receive information back is a powerful weapon in any hacker's armory, and it is what makes botnets and certain malicious apps so dangerous.

However, it's also a potential weakness. Security tools can spot suspicious traffic entering or leaving a network or device and block it, rendering the botnet or malware unable to receive further instructions or relay data back to the command-and-control (C&C) server operated by the attacker. Forensic examination of the traffic generated by C&C servers can often reveal their location, the location of the endpoints within the botnet, as well as the types of malware being used and the vulnerabilities being exploited. This information can then be used to shut down the C&C servers and to dismantle the botnet.

To protect their malicious operations, hackers are constantly looking for techniques to try and obfuscate their C&C infrastructure and to avoid takedowns by making forensic analysis, detection and attribution a lot harder. Early C&C servers mainly communicated with botnets using the Internet Relay Chat protocol, but alternative channels are now often used, including JPEG images, Microsoft Word files and posts from dummy LinkedIn or Twitter accounts. The "Gcat" backdoor malware can be controlled using Gmail as a C&C server, and Twitter has been used since 2009 to communicate with malware and to control botnets in Windows machines.

The Twitoor Trojan discovered by ESET represents the first time Twitter has been used to control Android devices. It takes advantage of the expanded length of Twitter direct messages to create a new type of C&C infrastructure that allows an attacker to send private messages to control and coordinate infected Android phones and tablets. Once installed, the malware regularly checks a malicious Twitter account for instructions. These instructions direct the Trojan to either download and install additional malware or to use a different C&C Twitter account.

As it is easy for those behind Twitoor to continually switch Twitter accounts and redirect communications, this Android Trojan is far harder to unravel. It also uses encrypted messages to further obfuscate the attacker's activities. The move to abandon the 140-character limit on Tweets means that instructions to bots or malware can be more complex, while direct message traffic is difficult to distinguish from legitimate communications, making it harder to spot and block.

Hackers will use any viable channel to create a connection between their C&C servers, their bots and the targeted devices. Malware authors are bound to incorporate Twitoor-based techniques into their creations, as well as to develop them to use in other social networks or third-party services as a means of communicating with their malware. In many ways, it will be down to Twitter and other social media site operators to research how these attackers operate and to find any identifiable patterns or behaviors in their communications in order to block and stop this type of C&C operation from functioning.

Before an Android device can be recruited into the Twitoor botnet, the user must first download the malicious Twitoor app. This can't be done through the Google Play Store, so those already infected must have followed a malicious URL and been tricked into downloading it thinking it was a genuine app of some kind. Security awareness training has to make the message clear to users that they should only obtain apps from the Google Play Store or the enterprise's own app store, if it exists. Users also have to remain careful about what they download from Twitter or other social networking sites and to always preview shortened URL links to prevent visiting an unintended or dangerous website.

Next Steps

Learn what the Mirai internet of things botnet reveals about bad password security

Find out how the Android Trojan Triada can replace a device's system functions

Read about the AceDeceiver Trojan's ability to install itself on iOS devices

This was last published in January 2017

Dig Deeper on Threats and vulnerabilities