A new, “highly prevalent” strain of Android malware was found infecting several Minecraft-related apps on the Google Play store, adding compromised devices into a botnet. According to security researchers at Symantec, at least eight mobile apps – with an install base ranging from 600,000 to 2.6 million devices – were infected with Sockbot. “The legitimate purpose of the apps is to modify the look of the characters in Minecraft: Pocket Edition (PE). [However], in the background, sophisticated and well-disguised attacking functionality is enabled,” explained Shaun Aimoto, Principal SQA Engineer at Symantec, in a blog post. From their analysis, researchers believe the malware aims to generate illegitimate ad revenue. Aimoto further explains:
“The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.”
Furthermore, researchers warn this “highly flexible proxy topology” could easily be leveraged to exploit numerous network-based vulnerabilities, as well as launch distributed denial of service (DDoS) attacks. Researchers noted that the malware appears to primarily target users in the United States, but also has a presence in Russia, Ukraine, Brazil and Germany. Google Play was notified of the malicious apps earlier this month and has since removed them from the app store. As always, users are recommended to keep their software up-to-date, avoid downloading apps from unfamiliar sites, and pay close attention to the permissions requested by an app.
