Android.Sockbot Google Play Malware Traps Millions Of Devices In Zombie Botnet

Doris Richards
October 19, 2017

Security researchers at Symantec have discovered a new Android malware, named "Sockbot", which can allow a remote attacker to use an infected device to generate advertising traffic for the goal of online ad fraud. The apps in question presented themselves as skins for player characters in popular app Minecraft: Pocket Edition and boasted "an install base ranging from 600,000 to 2.6 million devices".

The malware appeared to be mainly aimed at US users but has also been seen in Russia, Ukraine, Brazil and Germany.

Symantec researchers, however, discovered that these apps also carry a "new and highly prevalent type of Android malware" called Android.Sockbot that connects infected devices to developer-controlled servers. They are not official Minecraft apps but instead offer "skins" which can be used to modify the appearance of in-game characters.

The app connects to a command and control (C&C) server on port 9001 to receive commands.

When installed, the app requests a swathe of permissions, including access to Global Positioning System data and Wi-Fi, open network connections, read and write permission to external storage devices and the ability to display alerts. The SOCKS proxy mechanism then directs the infected device to an ad server to display advertisements. "In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack", the researchers noted.

Only install apps from trusted sources. "Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well", the researchers noted.

Google Play had been notified about the presence of the apps and had removed them on 6 October, he added.

Symantec wrote that the developer account behind all eight apps, FunBaster, had apparently encrypted parts of the code to thwart "base-level forms of detection".

Other reports by Iphone Fresh

Discuss This Article