Android Apps Infected with Sockbot Malware Turn Devices into Botnet

Cybercriminals apparently are well aware of the fact that Minecraft is a truly profitable game perhaps that’s why they are eager on identifying new ways of exploiting it. Reportedly, there are a number of Minecraft oriented Android apps available on Google Play Store that are infecting devices and turning them into botnets.

According to research conducted by Symantec’ cybersecurity researchers, eight apps on Google Play Store are infected with an embedded malicious Trojan called Sockbot. The installation scope of this particular malware campaign is quite wide-ranged with approx. 600,000 to 2.6 million devices targeted so far. The apps initially posed as add-ons for Minecraft: Pocket Edition game to get posted at Google Play Android app store.

However, these are not official Minecraft game apps but only providing skins for changing the appearance of characters in the game. The apps have been designed to generate ad revenue through illegal ways. One of these eight apps was found to be communicating with a command and control server (C&C) for instructions to open a socket using SOCKS before creating a link with the targeted server. The C&C server provided a list of metadata and ads to promote ad requests. But in reality, the app is not meant to display ads but to compromise mobile devices for nefarious purposes.

After being installed on a device, the app asks for a range of permissions including displaying of alerts, accessing GPS data, open network connections, access Wi-Fi service and acquire read and write privilege on external storage devices.

Malicious Android Apps on Google Play Store Turning Devices into Botnets
One of the malware infected Minecraft apps / Credit: symantec

Sockbot malware creates a SOCKS proxy to ensure generation of ad revenue and making the device a botnet. According to Symantec, the proxy topology is “highly flexible” as it can easily be extended to benefit from vulnerabilities of networks and also effectively span security parameters. Apart from executing “arbitrary network attacks,” the wide-ranging scope of this infection can be utilized to launch a DDoS (distributed denial of service) attack.

A developer using the alias FunBaster is identified to be linked with the malicious apps. It is noted that the developer signs every app with a unique developer key and has ensured that the coding of the app is obfuscated while the key string is also encrypted. If the code could be decrypted, it would be clear how the apps have managed to thwart security processes of Google to get posted on the Play Store.

A botnet is a number of Internet-connected devices, each of which is running one or more bots

Google was notified of the presence of malicious apps on its Store by Symantec on October 6th after which the company removed them. However, there are tons of other malware-infected apps on Google Play Store that might trick Android users, therefore, avoid downloading unnecessary apps and use anti-virus software.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.