CATEGORIES
home News

Android.Sockbot Google Play Malware Traps Millions Of Devices In Zombie Botnet

by Shane McGlaunThursday, October 19, 2017, 08:09 AM EDT

Symantec has issued a warning that it found at least eight different apps on Google Play that were infected with a malware called Android.Sockbot. The apps all posed as add-ons for Minecraft: Pocket Edition and claimed to change the way characters look in the game with new skins. The infection from these apps was widespread with an install base between 600,000 and 2.6 million devices.

minecraft pe

The malware was mainly focused on infecting users in the U.S., but there were infections in Russia, Ukraine, Brazil, and Germany as well. Symantec says that it set up network analysis of the malware and found that it was aimed at generating illegal ad revenue. However, the apps had no functionality to display ads integrated. 

Symantec writes, "The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests."

While the apps were set up to generate illegitimate ad revenue, Symantec notes that the proxy topology of the malware was very flexible and could have easily been tuned to take advantage of a number of network-based vulnerabilities and could potentially span security boundaries. The large install base could also be leveraged to mount DDoS attacks.

assassin skins

Symantec writes, "There is a single developer account named FunBaster associated with this campaign. The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well."

Symantec says that it did notify Google of the malware-laced apps on October 6 and that Google has already removed them from the Play Store. There are tips given for mitigating the chance of infections of your Android device including keeping software up to date, not downloading apps from unfamiliar sites, installing apps from trusted sources, and paying attention to permissions an app requests. Naturally, Symantec also recommends installing its Norton Mobile Security app. Back in August, Google removed 300 apps that added devices to the WireX DDoS botnet.

Tags:  Android, Malware, App, botnet, Symantec, Google-Play, Minecraft
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment