A massive botnet targeting Android devices has emerged as one of the most significant threats in the cybersecurity landscape today.
Named Kimwolf, this sophisticated malware has compromised approximately 1.8 million Android devices worldwide, including smart TVs, set-top boxes, tablets, and other Android-based systems.
Security researchers discovered the botnet when a trusted community partner provided the initial sample in October 2025, which used a command-and-control domain ranked second in Cloudflare’s global domain popularity rankings.
The botnet’s reach spans across 222 countries and regions, with the highest concentration of infected devices in Brazil (14.63%), India (12.71%), and the United States (9.58%).
Infected devices are distributed across multiple time zones worldwide, making comprehensive monitoring challenging.
.webp "Kimwolf Android Botnet Hijacked 1.8 Million Android Devices Worldwide 2")
The scale of this operation demonstrates the attackers’ ability to build and maintain a massive network infrastructure capable of launching destructive cyberattacks on a global scale.
Xlab Qianxin analysts identified Kimwolf as a highly sophisticated botnet compiled using the Android NDK, incorporating typical DDoS attack capabilities alongside proxy forwarding, reverse shell, and file management functions.
The malware employs advanced evasion techniques rarely observed in similar threats, including the DNS over TLS (DoT) protocol to bypass traditional security detection systems and elliptic-curve-based digital signature protection for command verification.
Infection mechanism
The infection mechanism reveals interesting technical details about how Kimwolf persists on compromised devices. The malware operates through an APK file that extracts and executes a native binary payload disguised as legitimate system services.
.webp "Kimwolf Android Botnet Hijacked 1.8 Million Android Devices Worldwide 4")
Upon execution, it creates a Unix domain socket named after the botnet version to ensure only one instance runs simultaneously on each device.
The malware then decrypts embedded command-and-control domains and uses the DoT protocol to query public DNS servers on port 853 to obtain real C2 IP addresses, thereby concealing its communication patterns from network monitoring tools.
.webp "Kimwolf Android Botnet Hijacked 1.8 Million Android Devices Worldwide 5")
To decrypt sensitive data including C2 addresses, Kimwolf employs Stack XOR operations on encrypted strings. Researchers successfully automated the decryption process using emulation techniques, uncovering multiple hidden C2 domains embedded within the binary.
The malware’s network communication always uses TLS encryption with a fixed Header Body format containing magic values, message types, IDs, and CRC32 checksums.
Communication between infected bots and the C2 infrastructure follows a sophisticated three-stage handshake mechanism involving registration, verification, and confirmation phases.
The verification stage implements Elliptic Curve Digital Signature algorithms, ensuring only authenticated commands from legitimate C2 servers are executed. This security measure was specifically designed to prevent unauthorized takedowns of the botnet infrastructure.
Between November 19 and 22, Kimwolf demonstrated its aggressive capabilities by issuing 1.7 billion DDoS attack commands targeting diverse IP addresses globally.
The botnet supports 13 different DDoS attack methods, including UDP floods, TCP SYN floods, and SSL socket attacks, providing attackers with versatile options for different target scenarios.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
