The Rise of Smartphone BotNets

Smartphone botnets have become increasingly popular over the last few years. Android software is highly vulnerable to malware and is constantly targeted by attackers due to the OS’s popularity around the world. Often times the malware is installed on the device via malicious apps found in the Google play store, 3rd party app stores, malicious emails or drive by downloads while browsing from your device.


Figure 1: Android Botnet for sale

Infected devices that become part of a botnet can perform certain tasks like record audio and video, take photos, send text messages, open webpages, steal user data, delete files, launch denial of service attacks via HTTP floods and preform web injections, if supported.

The threat of a mobile botnet is very real and often hidden in unsuspecting apps found in different app stores. Once a user is infected, there is very little they can do to detect and remove the malware. A HTTP flood from a mobile botnet can easily produce over 100,000 unique IP addresses. making it increasingly difficult for websites to mitigate such a large scale attack.

[You might also like: Malware and Botnet Attack Services Found on the Darknet]

The attack works very similarly to a standard botnet. Users are tricked into installing malware that gains root access. Devices that are infected with malware become enslaved into a global botnet. From there, an attacker controls the actions of the device through a command and control system where they can send a number of attack commands to the devices so they will perform the specified action.

There is a growing amount of mobile malware found in the wild that allows an attacker to enlist the compromised device into their botnet for malicious purposes. Malware such as GM bot, Dendroit, DroidJack and Viking Horde are just a few variants seen in the wild. Often times the malware can be purchased on the darknet or from a number of different forums and websites found on the Clearnet.


Figure 2: Android Botnet advertisement

If you experience disrupted or lost network connectivity, fraud, installed or removed applications, or calls, SMS’s and emails being sent without your consent, your device might be infected with malware. It’s suggested that you wipe your phone and restore factory settings if you suspect that your device has been compromised.

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center