{ "id": "fc9d4377-f2e9-49f1-88fe-703be9ee4895", "created_at": "2026-04-06T00:15:06.611103Z", "updated_at": "2026-04-10T03:24:15.683379Z", "deleted_at": null, "sha1_hash": "3da149d6c60103785f89e39c09adf9a8ec257709", "title": "First Twitter-controlled Android botnet discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43518, "plain_text": "First Twitter-controlled Android botnet discovered\r\nBy Editor\r\nArchived: 2026-04-05 19:48:47 UTC\r\nDetected by ESET as Android/Twitoor, this malware is unique because of its resilience mechanism. Instead of\r\nbeing controlled by a traditional command-and-control server, it receives instructions via tweets.\r\n24 Aug 2016  •  , 2 min. read\r\nAndroid/Twitoor is a backdoor capable of downloading other malware onto an infected device. It has been active\r\nfor around one month. This malicious app, detected by ESET as a variant of Android/Twitoor.A, can’t be found on\r\nany official Android app store – it probably spreads by SMS or via malicious URLs. It impersonates a porn player\r\napp or MMS application but without having their functionality.\r\nAfter launching, it hides its presence on the system and checks the defined Twitter account at regular intervals for\r\ncommands. Based on received commands, it can either download malicious apps or switch the C\u0026C Twitter\r\naccount to another one.\r\n“Using Twitter instead of command-and-control (C\u0026C) servers is pretty innovative for an Android\r\nbotnet.\"\r\n“Using Twitter instead of command-and-control (C\u0026C) servers is pretty innovative for an Android botnet,” says\r\nLukáš Štefanko, the ESET malware researcher who discovered the malicious app.\r\nMalware that enslaves devices to form botnets needs to be able to receive updated instructions. That\r\ncommunication is an Achilles heel for any botnet – it may raise suspicion and, cutting the bots off is always lethal\r\nto the botnet’s functioning.\r\nAdditionally, should the command-and-control (C\u0026C) servers get seized by the authorities, it would ultimately\r\nlead to disclosing information about the entire botnet.\r\nTo make the Twitoor botnet’s communication more resilient, botnet designers took various steps like encrypting\r\ntheir messages, using complex topologies of the C\u0026C network – or using innovative means for communication,\r\namong them the use of social networks.\r\n“These communication channels are hard to discover and even harder to block entirely. On the other hand, it’s\r\nextremely easy for the crooks to re-direct communications to another freshly created account,” explains Štefanko.\r\nIn the Windows space, Twitter, founded in 2006, was first used to control botnets as early as in 2009. Android bots\r\nhave also already been found being controlled via other non-traditional means – blogs or some of the many cloud\r\nmessaging systems like Google’s or Baidu’s – but Twitoor is the first Twitter-based bot malware, according to\r\nŠtefanko.\r\nhttp://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/\r\nPage 1 of 2\n\n“In the future, we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and\r\nother social networks”, states ESET’s researcher.\r\nCurrently, the Twitoor trojan has been downloading several versions of mobile banking malware. However, the\r\nbotnet operators can start distributing other malware, including ransomware, at any time warns Štefanko.\r\n“Twitoor serves as another example of how cybercriminals keep on innovating their business,” Stefanko\r\ncontinues. “The takeaway? Internet users should keep on securing their activities with good security solutions for\r\nboth computers and mobile devices.”\r\nHashes:\r\nE5212D4416486AF42E7ED1F58A526AEF77BE89BE\r\nA9891222232145581FE8D0D483EDB4B18836BCFC\r\nAFF9F39A6CA5D68C599B30012D79DA29E2672C6E\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/\r\nhttp://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" ], "report_names": [ "first-twitter-controlled-android-botnet-discovered" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775791455, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3da149d6c60103785f89e39c09adf9a8ec257709.pdf", "text": "https://archive.orkl.eu/3da149d6c60103785f89e39c09adf9a8ec257709.txt", "img": "https://archive.orkl.eu/3da149d6c60103785f89e39c09adf9a8ec257709.jpg" } }