Android botnet Kimwolf infects nearly two million smart devices

A newly analysed Kimwolf botnet shows how compromised home devices are becoming tools for large-scale cyberattacks.
Researchers identified an Android botnet controlling nearly two million smart devices and linked to large-scale DDoS activity.

Cybersecurity researchers have identified a large Android-based botnet capable of more than distributed denial-of-service attacks, highlighting growing risks from compromised consumer devices. The botnet, dubbed Kimwolf, is estimated to control close to two million infected systems worldwide.

The findings come from QiAnXin XLab, which said Kimwolf has infected around 1.8 million devices, mainly smart TVs, set-top boxes and tablets. Most infections were observed in Brazil, India, the US, Argentina, South Africa and the Philippines.

XLab said the infection vector remains unclear, but affected devices were linked to low-cost Android-based brands used for media streaming. Researchers noted repeated attempts to disrupt the Kimwolf, with its command-and-control infrastructure taken down several times before re-emerging.

According to the report, Kimwolf has adapted by shifting to decentralised infrastructure, including the use of Ethereum Name Service domains. Analysts also identified overlaps in code and infrastructure with AISURU, a botnet linked to record-scale DDoS attacks.

Cloudflare recently described AISURU as one of the largest robot networks observed, capable of attacks exceeding 29 terabits per second. XLab said shared infrastructure suggests both botnets are operated by the same threat group.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!