The development and purpose of the mobile applications developed by ISIS indicate that its cyber Jihad capabilities may be increasing more rapidly than some security researchers believe. In 2014, ISIS released the “ Dawn of Glad Tidings ” application to propagate their message on Twitter, recruit new followers, and increase their renown. Thousands of users downloaded the “ Dawn of Glad Tidings ” application from Google Play store before it was removed for violating Google’s community guidelines. More significantly, the “ Dawn of Glad Tidings ” application asked to access a surprising amount of personal information on the native devices, and thousands of Android users accepted those terms. Unbeknownst to them, is what ISIS, the terrorist organization, does with the data accessed. Some have alleged that the “ Dawn of Glad Tidings ” application led to identity theft, while others dismiss the claims. If ISIS goes to the trouble of developing “ Dawn of Glad Tidings ” application and programming it to collect specific personal information, there is likely an ulterior motive. If true, then ISIS has displayed a level of sophistication, the theft and exploitation of personal identifiable information, above what it had previously. ISIS has released few Android applications like “ Dawn of Glad Tidings ” since then and it seems just as unlikely that they were created out of goodwill.

In December 2015, IBTimes and members of Anonymous reported that the ISIS Android application known as Amaq Agency might have been behind a targeted DDoS attack against the root name servers that support the global internet. The Amaq Agency attack occurred between November 30, 2015 and December 1, 2015 and it targeted 13 internet root name servers. In an interview with IBTimes, John McAfee claimed, “This is as serious as it gets. We have absolutely no defenses in place to counter this threat. If the perpetrators had activated more phones we would have lost the internet.” Supposedly, when the Amaq Agency application was running, it stored the addresses of the 13 root name servers in an encrypted packet, in memory. The addresses did not appear inside the static code for the application; the encrypted packet was only accessible when the application was running. The packet decrypted at runtime, which caused security researchers to wonder what contents it held. The attacks flooded the servers with a peak of 5 million queries per second. It is estimated that as few as 18,000 devices on Wi-Fi networks could have generated that volume of traffic. DEFCON organizer Eddie Mize told IBTimes, “Imagine if the internet went down for several days, I believe we would see significant power grid failure and potentially loss of emergency services. This could mean the failure of dams and flood controls, power and water distribution, natural gas distribution and control failure, and more. Perhaps the most alarming aspect would be to the financial sector. I believe that loss of the internet for even a two week period could cause enough disruption to financial institutions that consumers would lose confidence and this could be catastrophic to the markets. All of this could set up a chain reaction that could send the public in to a panicked tailspin.” There are 370 more permanent servers, but taking these servers down through a similar DDoS attack would be trivial. At the peak of the DDoS attack, the servers received more than five million queries per second, and more than 50 billion queries in total during the two-day period. Verisign, whose servers were among the targets, contends that the source addresses were spoofed and therefore attribution is inconclusive. However, the originating IPv4 addresses were evenly distributed and every request asked to resolve to the same address, which is unlikely in the event of spoofing. A targeted botnet is a more likely source of the attack. The Amaq Agency attack was the third time since 2012 that a DDoS attack had been carried out against the root name servers. In March 2013, a group that had previously conducted DDoS attacks against Spamhaus, a spam prevention organization, attacked critical hubs for the internet relied upon by western infrastructure, such as the London Internet Exchange (LINX), the Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange (DE-CIX), and the Hong Kong Internet Exchange (HKIX).

Though an extreme scenario, the threat posed by a prolonged attack on the internet should not be underestimated. The internet was not designed with security in mind. Even with commercial tools in place to ensure some semblance of security, the underlying infrastructure supporting the internet has inherent vulnerabilities that cannot be patched or repaired. Assuming that added applications and tools can adequately secure the internet is akin to sealing the door to a house to prevent water from reaching its basement when water is already creeping through the foundation. Consider that the western internet infrastructure has approximately 60 Tbps of available bandwidth. According to Cloudfare CEO Matthew Prince, at the 2013 Defcon Conference in Las Vegas, an unsophisticated attack of 12 Tbps was very possible. An attack that drew a fifth of the available bandwidth of the western internet would disrupt business communications, traffic lights, some transportation networks, and some operations within critical infrastructure such as at water treatment plants or power generation and distribution facilities.

If such a botnet were to be fully deployed, the global impact would be “catastrophic” for financial and essential services. Mize believes “we have no defenses [against a mobile app botnet] and it was entirely unanticipated. The people in power need to be woken up before the world as we know comes to an end.” Even if Verisign is correct and the attack was not the machinations of ISIS, it is important to consider the alternative.

It remains unclear how many users downloaded the Amaq Agency application because ISIS distributes the free download on Pastebin and other channels instead of through the Google Play store.  In any case, cell phones are cheap. An AT&T GoPhone with Wi-Fi capabilities costs as little as $20. If ISIS deployed an infected mobile application on the mobile phone of every one of its members, then it could repeat this attack. With more than one phone per member, the results would be more significant. Consider instead, if ISIS released a mobile application that did not promote ISIS and did not appear malicious. For example, if ISIS released a “Candy-Crush knockoff” application, put it on the Google Play store for free, and conducted widespread attacks through the botted mobile devices, how many systems would be at their disposal? How much personal information would mobile gamers nonchalantly give away when they accepted the terms and conditions? Loss of the internet would harm the Western nations more than the territories controlled by ISIS. Even if the target of the DDoS were not the root name servers supporting the internet, a DDoS from a widespread number of mobile devices would be powerful.


Finally, In May 2016, the ISIS help desk developed and released an Android application called Huroof, through an active Telegram channel. Huroof is meant to teach children the Arabic alphabet through militaristic vocabulary words. It also contains Jihadist themed, flash cards, songs and cartoon animations. The application indicates that ISIS plans to sustain its occupation long enough for a new generation of militants to mature. In that case, what prevents them from tailoring their content for the younger generation towards the acquisition of information security and other technical skills? A more educated wave of jihadists will inevitably mean that the zealous organization will be more dangerous.

Mobile applications enable ISIS to quietly aggregate a store of personal information and to position insider threats to an organization. Perhaps the infected device will knowingly be carried into an organization to infect their BYOD devices on their network. Perhaps the insider threat will never realize that the game that they downloaded is spreading malware in the background. In either case, ISIS can use its budding cyber Jihad capabilities and its mobile applications to increase its reach and influence. Even if a malicious application just sent an extremist text to the user’s contacts, it would still achieve a desirable impact for the terror organization.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google