A joint investigation by a number of high-profile companies has managed to bring down a botnet that was being used to run distributed denial of service attacks from infected Android devices.

The botnet first raised its head Aug. 17 when it was detected by multiple content delivery network providers. Dubbed WireX, an anagram for one of the delimiter strings in its command and control protocol, the botnet was found to be on more than 100,000 Android devices in 100-plus countries, making it a formidable foe.

Enter the tech version of the Avengers, in this case, the security teams at Akamai Technologies Inc., Cloudflare Inc., Flashpoint (EJ2 Communications Inc.), Google Inc., Oracle Dyn, RiskIQ Inc. and Team Cymru Inc., which all collaborated to take down WireX. The companies reported the effort Monday.

Their investigation found that WireX was sending tens of thousands of HTTP requests that were meant to resemble those coming from legitimate browsers, in an attempt to hide their actual purpose. Having ascertained the method of attack, the investigators were then able to identify the unique “User-Agent” string reported by each packet of data, then trace them back to malicious Android applications. Although a significant number of the applications were being offered on third-party app stores, the more disturbing finding was that about 300 apps infected with the malware were available to download from the Play Store, Google’s app store.

Not surprisingly, the apps were the usual mix of ad-support garbage often pitched as fronts for malware, including messaging, file explorer, video and ringtone apps.

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” the Google researchers said in a statement posted by Cloudflare. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”

Cloudflare praised the collaboration, noting that “these discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms. Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”

The company encouraged companies suffering from DDoS attacks to share details of attacks with security companies, as it “allows for both formal and informal information sharing groups to communicate about and understand the attacks that are happening at a global scale, rather than simply what they see on their own platforms.”

Image: tales2astonish/Flickr