The Kimwolf botnet has expanded to over two million infected Android devices by exploiting vulnerabilities in residential proxy networks and exposed debugging services. Primarily targeting streaming boxes and TV devices, the malware utilizes these compromised systems to launch massive DDoS attacks and monetize traffic through unauthorized proxy resale.
The Kimwolf botnet represents a significant evolution of the Aisuru malware family, specifically tailored to compromise Android-based hardware. Since last August, security researchers have noted a sharp increase in activity as the botnet scans for devices with open Android Debug Bridge services. This vulnerability allows the malware to gain unauthenticated access to systems, effectively turning household electronics into remote-controlled tools for cybercriminals.
Recent data indicates that the botnet has grown rapidly, reaching a scale of approximately two million active hosts. These devices generate a staggering twelve million unique IP addresses every week, providing the operators with a massive and rotating infrastructure. While early reports in December placed the number of compromised units slightly lower, the most recent tracking confirms a steady upward trajectory in infections across the globe.
The primary targets for this campaign are Android TV boxes and similar streaming peripherals that lack robust security configurations. In many instances, these devices are compromised even before they reach the consumer, as certain proxy software kits are pre-installed during the manufacturing or distribution process. Once active, the malware integrates the device into a larger network designed for high-capacity malicious operations.
The impact of this botnet is most visible in the realm of distributed denial-of-service attacks. The underlying Aisuru architecture has already been linked to record-breaking traffic spikes, including one incident that peaked at nearly thirty terabits per second. Beyond outages, the operators generate profit by selling access to these compromised residential IPs and using third-party software kits to force app installations on the infected hardware.
Geographically, the infection is most prevalent in regions such as Vietnam, Brazil, India, and Saudi Arabia. This distribution highlights a widespread vulnerability in budget Android hardware markets where security updates and locked-down configurations are often overlooked. As the botnet continues to scan for new targets, it remains a potent threat to both individual privacy and the stability of global internet infrastructure.
Source: Kimwolf Android Botnet Uses Residential Proxies To Infect Devices