Android.Sockbot Google Play Malware Traps Millions Of Devices In Zombie Botnet

Symantec has issued a warning that it found at least eight different apps on Google Play that were infected with a malware called Android.Sockbot. The apps all posed as add-ons for Minecraft: Pocket Edition and claimed to change the way characters look in the game with new skins. The infection from these apps was widespread with an install base between 600,000 and 2.6 million devices.

minecraft pe

The malware was mainly focused on infecting users in the U.S., but there were infections in Russia, Ukraine, Brazil, and Germany as well. Symantec says that it set up network analysis of the malware and found that it was aimed at generating illegal ad revenue. However, the apps had no functionality to display ads integrated. 

Symantec writes, "The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests."

While the apps were set up to generate illegitimate ad revenue, Symantec notes that the proxy topology of the malware was very flexible and could have easily been tuned to take advantage of a number of network-based vulnerabilities and could potentially span security boundaries. The large install base could also be leveraged to mount DDoS attacks.

assassin skins

Symantec writes, "There is a single developer account named FunBaster associated with this campaign. The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well."

Symantec says that it did notify Google of the malware-laced apps on October 6 and that Google has already removed them from the Play Store. There are tips given for mitigating the chance of infections of your Android device including keeping software up to date, not downloading apps from unfamiliar sites, installing apps from trusted sources, and paying attention to permissions an app requests. Naturally, Symantec also recommends installing its Norton Mobile Security app. Back in August, Google removed 300 apps that added devices to the WireX DDoS botnet.