Android devices were recently targeted by hackers again as eight Minecraft oriented apps in the Google Play Store are infected with the new Android.Sockbot malware. Android.Sockbot is a new Trojan horse that spreads using Minecraft oriented apps on Google Play. At the time of writing, the malicious apps are already removed from the Store but it has left a number of devices infected with the scale of infections that might range from 600,000 to 2.6 million Android devices.
Based on the findings of Symantec – the one who identified the Sockbot malware – most of the victims are from the United States. However, that does not mean that other users from other countries aren’t affected as well as some of the users from Brazil, Germany, Russia and Ukraine were also affected by the Trojan infection.
To make things clear, the official Minecraft app is not infected, the only ones who are infected are Minecraft oriented apps which are already removed. However, the Android Sockbot’s source was the skin apps for Minecraft PE which allows the characters to change appearance.
The Trojan infiltrates the Android system the instant users download one of the 8 malicious apps to their Android smart phone or tablet. After that, it connects to its Command and Control or C&C server that responds with a command to open a socket using SOCKS. Using a specified IP address and ports, a connection is established on the infected devices where the targeted server delivers a list of ads and metalists. To put it simply, the Trojan connects all of the Android devices it has managed to infect into a botnet that helps in generating tons of ads to gain revenue. However, that’s not the worst thing it can do as the malicious app itself does not function as an ad-supported program, hence it can’t bring ads to the infected users. Security experts also noted that making illegal revenue from advertising might not be the only goal of this Android Trojan.
Sockbot also asks for several permissions, just like other Android malware. Once it gets the permission it needs, the Trojan delivers many alerts and accesses the Wi-Fi and open network connections and then accesses the device’s GPS location. On the other hand its most threatening permission that it might be granted is the ability to read and write external storage devices’ privileges. This malicious program is quite sophisticated and might have the possibility to expand its capabilities, according to Symantec. For example, it can be used for Distributed Denial of Service or DDoS attacks.
Cyber criminals behind threats like Sockbot remains unknown as they usually keep their tracks covered. However, this time it’s different as Sockbot’s attack was linked to a developer known as FunBaster. But then again the malicious apps are signed with the unique developer’s key and besides both the key string and coding of the malicious apps are encrypted so it’s really hard to tell. Therefore, once security experts are able to decrypt the encrypted code, that’s the time when the perpetrator will be uncovered and we’ll know who’s behind this Android attack.
In the meantime, Android users are advised to be cautious and careful in downloading apps as this isn’t the first time that malicious apps have bypassed Google Play’s security. The best thing users can do is to check the app’s reviews before they install them. Aside from that, it would also be better if they check information about the app’s developer, read permissions that are requested by the app and install a mobile security program or to update it if they already have one, and last but not the least, is to avoid downloading any apps from unknown third party sites.