Millions download botnet-building malware from Google Play

Symantec discovered a new batch of malicious apps on Google Play, some of which have been downloaded and installed on some 2.6 million devices.

According to Symantec, the apps posed as legitimate offerings that modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, though, they set out to rope the devices into a botnet.


Once they were installed on a target device, they would connect to a C&C server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port.

A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.

Even though the apps were used to generate illegitimate ad revenue, the botnet herders could have forced the devices to participate in attacks.

“This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries”, Symantec says. “In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack”.

The malware, dubbed Sockbot, was found hiding in eight apps on Google Play, all offered by a single developer account.

The author has gone to great lengths to hide their true nature from researchers and users. The fact that the malicious apps have been installed on hundreds of thousands and (some of them) millions of devices is a testament of the author’s skill and savvy.

Symantec informed Google about the apps on October 6, and the malicious software was removed from the  Google Play.

%d bloggers like this: