Google Play Hit by Botnet Malware

Thursday, October 19, 2017 @ 05:10 PM gHale

Here is a chilling thought: There is a series of infected apps on Google Play that ended up installed on over 2.6 million devices.

The apps look legit as they modify the look of the characters in Minecraft: Pocket Edition (PE). In the end, they tie unsuspecting devices into a botnet, said researchers at Symantec.

Hidden in Plain Sight: Backdoor Uses FTP Server
Cisco Fixes Backdoor
Iran Focuses on Aerospace, Energy: Report
ICSJWG: Putting Numbers Behind Risk

“We have encountered a new and highly prevalent type of Android malware (detected as Android.Sockbot) posing as apps on Google Play and later adding compromised devices into a botnet,” said Symantec researcher, Shaun Aimoto in a post. “So far we have identified at least eight such apps, with an install base ranging from 600,000 to 2.6 million devices.”

Once the app ends up installed, it will then connect to a C&C server, which would request the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port, the researcher said.

Once it establishes a connection, the app will connect to another server, from which it received a list of ads and associated metadata, the researchers said. Using this same SOCKS proxy mechanism, the app ends up connecting to an ad server and launch ad requests.

Even though the apps were used to generate illegitimate ad revenue, the potential was there to have the devices attack.

“[The] highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries. In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack,” Aimoto said.

The malware developer author has gone to great lengths to hide their true nature from researchers and users.

“The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection,” Aimoto said. “Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well.”

Leave a Reply

You must be logged in to post a comment.