Millions download botnet-building malware from Google Play

Researchers have discovered a new batch of malicious apps on Google Play, some of which have been downloaded and installed on some 2.6 million devices.

The apps’ capabilities

The apps posed as legitimate offerings that modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, though, they set out to rope the devices into a botnet.

android botnet-building malware

Once they were installed on a target device, they would connect to a C&C server, which would request that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port.

Once the connection was established, the app was instructed to connect to another server, from which it received a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app was commanded to connect to an ad server and launch ad requests.

Even though the apps were used to generate illegitimate ad revenue, the botnet herders could have forced the devices to participate in attacks.

“[The] highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries. In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack,” the researchers noted.

The malware was hiding in eight apps

The malware, dubbed Sockbot, was found hiding in eight apps on Google Play, all offered by a single developer account.

The author has gone to great lengths to hide their true nature from researchers and users. The fact that the malicious apps have been installed on hundreds of thousands and (some of them) millions of devices is a testament of the author’s skill and savvy.

“The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well,” the researchers noted. It’s easy to see how some mobile security solutions might have missed the app’s malicious nature.

As for the users, they were unlikely to notice that the app was doing something untoward: it did not show unexpected ads, and apparently did offer the advertized functionality (i.e. it changed the “skin” of Minecraft characters).

The malicious apps have since been removed from Google Play. Hopefully, Google has been bringing down the number of compromised devices with Google Play Protect.

Users are advised to be careful when considering which apps to install on their devices.