This Android botnet relies on Twitter for its commands

Twitter users aren’t the only ones checking the microblogging service for important updates. Android malware is starting to do so, too.

One maker of Android malware is using Twitter to communicate with infected smartphones, according to security firm ESET.

The company discovered the feature in a malicious app called Android/Twitoor. It runs as a backdoor virus that can secretly install other malware on a phone.

Typically, the makers of Android malware control their infected smartphones from servers. Commands sent from those servers can create a botnet of compromised phones and tell the malware on all the phones what to do.

The makers of Android/Twitoor decided to use Twitter instead of servers to communicate with the infected phones. The malware routinely checks certain Twitter accounts and reads the encrypted posts to get its operating commands.

Lukas Stefanko, an ESET researcher, said in a Wednesday blog post that this was an innovative approach.  It removes the need to maintain a command and control server, and the communications with the Twitter accounts can be hard to discover.

“It’s extremely easy for the crooks to re-direct communications to another freshly created account,” he said.

ESET said this was first Twitter-controlled Android botnet it had ever found. Windows-based botnets using Twitter have been around since at least 2009.

ESET said Android/Twitoor hasn’t been detected in any app stores, so it probably spreads through malicious links sent to the victim. The malware pretends to be a porn player or multimedia messaging app, and it’s only been active for about a month.

So far, Android/Twitoor has been found downloading versions of mobile banking malware to users’ phones.

“In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks,” Stefanko added.