**
Massive Android Botnet "Kimwolf" Infects Millions, Strikes with DDoS
**The world of cybersecurity has been shaken by the discovery of a massive Android botnet dubbed "Kimwolf," which has infected an estimated 1.8 million devices and unleashed a torrent of distributed denial-of-service (DDoS) attacks.
According to a report from XLab, Kimwolf is linked to the Aisuru botnet and has been found to be using the wolfSSL library in its operations. The botnet's primary targets are TV boxes, which are compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions.
But what sets Kimwolf apart from other botnets is its sheer scale and sophistication. Within a week of its discovery, the botnet's control domain had risen to prominence, even surpassing Google in Cloudflare's global rankings. Researchers have observed over 2.7 million IP addresses interacting with the botnet over three days, indicating that the infection rate may be even higher than initially thought.
Kimwolf's infrastructure spans multiple control domains, global time zones, and versions, making it extremely difficult to estimate the total number of infections. The botnet borrows code from the Aisuru family but has been redesigned to evade detection.
One of the primary functions of Kimwolf is traffic proxying, but it can also execute massive DDoS attacks, as seen in a three-day period issuing over 1.7 billion commands between November 19 and 22. The botnet's control domains have been taken down multiple times, prompting its operators to adopt ENS blockchain domains for resilience.
Researchers stress the importance of sharing intelligence to counter this large-scale threat, which has already been observed in 222 countries and regions globally. The top 15 countries affected by Kimwolf are:
- Brazil (14.63%)
- India (12.71%)
- USA (9.58%)
- Argentina (7.19%)
- South Africa (3.85%)
- Philippines (3.58%)
- Mexico (3.07%)
- China (3.04%)
- Thailand (2.46%)
- Saudi Arabia (2.37%)
- Indonesia (1.87%)
- Morocco (1.85%)
- Turkey (1.60%)
- Iraq (1.53%)
- Pakistan (1.39%)
"Giant botnets originated with Mirai in 2016, but in recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed," the XLab report notes. "This indicates that some attackers have started to turn their attention to various smart TVs and TV boxes."
The researchers conclude by highlighting the importance of giving due attention to smart TV-related devices, which often suffer from firmware vulnerabilities, pre-installed malicious components, weak passwords, and lack of security update mechanisms.
Conclusion
Kimwolf is a massive Android botnet that has infected millions of devices and unleashed a torrent of DDoS attacks. Its sophisticated design and ability to evade detection make it a significant threat to global cybersecurity. Researchers are urging the security community to give due attention to smart TV-related devices and share intelligence to counter this large-scale threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more updates on this story and other cybersecurity news.