A team of tech companies has all but dislodged a big botnet, or army of compromised computers, consisting of phones running Google’s Android operating system.
The phones were running hundreds of malicious apps that had sneaked their way onto the Google Play app store this summer. Beginning as a click fraud scheme, in which crooks make money through illegitimate advertising impressions generated by zombie computers, the botnet was eventually adapted into digital artillery for launching distributed denial of service attacks, which flood websites with overwhelming traffic.
Google (GOOG) said that it had identified and blocked 300 apps that caused the problem. Many of the apps purported to be media and video players, ringtones, or tools for storage managers and app stores, and were mostly downloaded in markets such as Russia, China, and other Asian countries.
“We’re in the process of removing them from all affected devices,” Google said in a statement.
Companies that collaborated on the investigation and takedown included content delivery networks Akamai (AKAM) and Cloudflare, threat intelligence firm Flashpoint, Internet infrastructure provider Oracle (ORCL) Dyn, cybersecurity firms RiskIQ and Team Cymru, the Federal Bureau of Investigation, and others.
Get Data Sheet, Fortune’s technology newsletter
The botnet, dubbed “WireX” by researchers, had infected 120,000 phones at its peak earlier this month and sent 20,000 page requests per second, activity that pummels target computer servers. Although the botnet is still active, it is not operating anywhere near its previous intensity.
“This is the first time we’ve seen a very large network of Android phones and mobile phones used to launch denial of service attacks,” Matthew Prince, CEO and co-founder of Cloudflare, tells Fortune.
Allison Nixon, director of security research at Flashpoint, agrees. “The number of infected devices and total requests per second was massive,” she says.
While the strength of the botnet was unusual for one based on mobile phones, it is far from the largest denial of service attack on record. Some of the most powerful ones—including last year’s Mirai barrage, which caused Internet outages on the eastern seaboard of the U.S.—have spewed hundreds of millions of requests per second.
The botnet’s composition gives it unique characteristics. “Mobile devices are highly transient devices and this toolset had capabilities to attack while the device was sleeping, on Wi-Fi, and on mobile networks,” says Chad Seaman, an engineer at Akamai. He notes that this mobility allows the devices to launch attacks from many different networks throughout a day without the user being any the wiser: from the victim’s home, from coffee shops, from various cell towers, from a corporate network.
“There are a lot of mobile phones in the world. If you could infect those, they could be used to launch big attack,” Prince says. “While it wasn’t severe at this time, hopefully this is not a trend of what’s to come.”
