Malicious Minecraft-based Android apps have been uncovered in the Google Play store which compromises devices for the creation of botnets.
On Wednesday, researchers from Symantec said that eight apps hosted on the store were infected with the Sockbot malware, with an install base ranging from 600,000 to 2.6 million devices.
In a blog post, Symantec said the apps managed to worm their way into the official Google Play Android app store by posing as add-on functionality for the popular Minecraft: Pocket Edition (PE) game. They are not official Minecraft apps but instead offer “skins” which can be used to modify the appearance of in-game characters.
The security team believes the apps were originally aimed at generating illegitimate ad revenue. One of the apps was observed connecting to a C&C server for orders to open a socket using SOCKS before connecting to a target server, which gave the app a list of ads and metadata to launch ad requests.
However, there is no functionality in the app in which to display ads, and so the researchers believe the network system utilized by the app could also be used to compromise mobile devices for other purposes.
The embedded Trojan, called Sockbot, creates the SOCKS proxy for ad revenue and potential botnet enslavement.
“This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries,” Symantec says. “In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack.”
There is one developer which is associated with the apps involved. Dubbed FunBaster, the operator has ensured that the app’s code is obfuscated and key strings are encrypted which may explain how the apps managed to bypass Google’s security processes to get onto Google Play in the first place. In addition, the developer signs each app with a different developer key.
When installed, the app requests a swathe of permissions, including access to GPS data and Wi-Fi, open network connections, read and write permission to external storage devices and the ability to display alerts.
The malware primarily targets the US, but victims have also been spotted in Russia, Ukraine, Brazil, and Germany.
Symantec informed Google of these apps on 6 October and the tech giant quickly removed them from the store.
In September, Checkpoint researchers discovered 50 apps on the Google Play store which enabled criminals to make money by secretly sending messages to premium-rate SMS services and subscribing users to paid online services without their knowledge.
Previous and related coverage