Contributor: Martin Zhang
We have encountered a new and highly prevalent type of Android malware (detected as Android.Sockbot) posing as apps on Google Play and later adding compromised devices into a botnet. So far we have identified at least eight such apps, with an install base ranging from 600,000 to 2.6 million devices. This malware appears primarily targeting users in the United States, but also has a presence in Russia, Ukraine, Brazil, and Germany.
Figure. One of the malicious apps posing as a skin app for Minecraft PE
The legitimate purpose of the apps is to modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, sophisticated and well-disguised attacking functionality is enabled. We set up network analysis of this malware in action and observed activity apparently aimed at generating illegitimate ad revenue.
The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.
There is no functionality within the application to display ads.
This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries. In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack.
There is a single developer account named FunBaster associated with this campaign. The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well.
We notified Google Play of the presence of these malicious apps on October 6 and Google has confirmed these have been removed from the store.
Symantec recommends mobile users observe the following security best practices:
- Keep your software up to date.
- Refrain from downloading apps from unfamiliar sites.
- Only install apps from trusted sources.
- Pay close attention to the permissions requested by an app.
- Install a suitable mobile security app, such as Norton Mobile Security, in order to protect your device and data.
- Make frequent backups of important data.
Symantec and Norton products detect this malware as Android.Sockbot.
UPDATE: The title of this blog has been changed. While a DDoS attack could theoretically be launched from infected devices, we have not observed any DDoS attacks originating from these devices.