Sockbot Android malware discovered in eight popular apps on Google Play (Jacob Siegal/Boy Genius Report)

Security News ThreatsCybercrime Uncategorized

If you still aren’t being cautious about which apps you choose to
download on your Android phone or tablet, perhaps this latest report will
convince you to start taking the warnings seriously. This month, Symantec
discovered a new type of Android malware called Sockbot which poses as
legitimate apps on Google Play and then adds the devices of users who
downloaded the app to a botnet, allowing attackers to create fake ad
traffic. Symantic claims that at least eight Sockbot apps have been
identified, each of which has been downloaded between 600,000 and 2.6
million times. The stated purpose of the apps is to modify the skins of
characters in Minecraft: Pocket Edition, but behind the scenes, the
malware is generating illicit ad revenue. As Symantec explains on its
blog, the Sockbot malware connects to a command and control (C&C) server,
opens a socket using the SOCKS proxy mechanism and connects to a
specified IP address. Once the connection has been made, a command to
connect to a server is issued. Then the app receives a list of ads and
the ad fraud begins.

While this is a relatively innocuous use case, Symantec notes that the
malware “could easily be extended to take advantage of a number of
network-based vulnerabilities, and could potentially span security
boundaries.” In other words, attackers could potentially use Sockbot to
carry out DDoS attacks going forward. The good news is that Symantec
notified Google of the eight apps on October 6th, at which point the
company quickly removed them from the Google Play store. But keep in mind
that millions of Android users downloaded these seemingly innocent apps
before they were found to be infected. You can never be too careful.