Sockbot malware turns Android devices into Botnet

Eight Minecraft oriented apps in Google Play Store included Sockbot trojan

Sockbot malware turns Android Devices into Botnet

Android users were targeted by hackers again. While people are dealing with notorious DoubleLocker ransomware, security researchers are warning about a new discovery. At the beginning of October, researchers detected Android.Sockbot[1] – the Trojan horse that spreads as Minecraft oriented apps on Google Play Store.

Nevertheless, malicious apps were removed from the Stare, the scale of infections might range from 600,000 to 2.6 million devices. According to Symantec,[2] which detected Sockbot malware, the majority of victims were located in the United States. However, Russian, Ukraine, Brazil and Germany users were affected by this trojan horse as well.

If you have downloaded an official Minecraft game app, you should not worry. It is not affected. However, the source of the malware were skin apps for Minecraft PE[3] that allow changing characters’ appearance. Currently, 8 malevolent apps were detected and removed from Google Play store.

The behavior of Sockbot malware

The trojan gets inside the system as soon as users download a malicious app to the Android smartphone or tablet. Then it connects to its Command and Control (C&C) server which responds with a command to open a socket using SOCKS. The connection is established using specified IP address and ports. The targeted server delivers a list of ads and metalists.

Simply speaking, malware connects all affected devices into a botnet that helps to generate advertising-based revenue. However, the malicious app itself does not function as an ad-supported program. Thus, it cannot deliver ads to the users. Though, security experts note that making illegal revenue from advertising might not be the only one purpose of this version of Android virus.

Just like any other Android app, Sockbot also asks for several permissions. If it gets them, malware can deliver various alerts, access Wi-Fi and open network connections, as well as access GPS location. However, the most threatening permission it might get is the ability to read and write privileges on the external storage devices.

According to the Symantec, this malicious program is sophisticated and might expand its capabilities. For instance, it might be used for DDoS (distributed denial of service) attacks.[4]

Who is responsible for infecting millions Android users?

Usually, cyber-criminals behind such attacks remain uncovered. However, this attack is linked to a developer known as FunBaster. However, malicious apps are signed with unique developer’s key. Besides, coding of the app and key string are encrypted. Thus, if researchers manage to decrypt the code, we will know who is responsible for this cyber attack.

Meanwhile, Android users are reminded to be careful. Malicious apps often bypass Google Play’s security.[5] Therefore, you should not install apps from there without checking the information about it online. You should also:

  • look for information about the developer;
  • read permissions requested by the app;
  • install mobile antivirus;
  • do not download apps or other content from unknown third-party sites.

If you think that you may have installed one of the eight malicious apps with Sockbot malware, you should check your device with professional antivirus or malware removal program which is compatible with your Android phone.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions