WireX DDoS Android Malware Question

Hi

I'm re-posting here this question I found in this site because I'm facing the same behavior in our F5-ASM:

https://www.ethicalhacker.net/forums/topic/wirex-ddos-android-malware-question/

Hello everyone

I help to manage a WAF in my organization and we get approximately 2000 log entries per month, mainly on our main corporate website’s WAF policy, that trigger a signature that concerns the WireX DDoS Android Malware. Here is an example request (headers only):

GET

/blah/blah/blah

HTTP/1.1

Host: http://www..com

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A102U Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36

Sec-Fetch-Dest: document

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

accept-language: en

x-requested-with:

content-language: en

Sec-Fetch-Site: none

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Referer: https://blablabal.com/redirect

Accept-Encoding: gzip, deflate

I believe the empty x-requested-with: header is what is triggering this signature.

My question for you is – is this still a concern? Should we still continue to block these requests or based on what you see above, could this be a false positive?

Thank you.