Symantec discovers infected apps in the store, alerts Google

Oct 19, 2017 11:30 GMT  ·  By

Apps infected with malware have once again made it to the Google Play store, and security company Symantec warns that they’ve been installed on at least 600,000 devices.

The security vendor explained in a detailed analysis of the malware that apps were infected with Sockbot, which sets up a SOCKS proxy on each device and waits for commands from the author.

Symantec says the primary objective of the apps was to generate ad revenue, but if needed, the malware could easily turn the infected device into a member of a larger botnet allowing even for DDoS attacks.

Eight different applications posted on the Google Play have been confirmed as infected with Sockbot, and all of them have already been removed by Google. And yet, Symantec estimates that between 600,000 and 2.6 million devices have downloaded the infected apps.

Generating ad revenue

Targeting users in the United States, Russia, Ukraine, Brazil, and Germany, the malware was injected into apps promising skins for Minecraft: Pocket Edition (PE) and developed by an account called FunBaster.

“The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well,” Symantec says.

Once an Android device is infected with Sockbot, the malware connects to a command and control (C&C) server on port 9001 to receive commands, and in most of the cases, what it retrieves is a list of ads and associated metadata like ad type and screen size name. There are no ads injected on the compromised Android device.

Android users who have already installed such an app are recommended to remove it as soon as possible unless Google has already done it. The majority of Android security solutions have already been updated to detect Sockbot and remove the infection.