We just found out that millions of people have downloaded a malicious software hidden in several apps available in the OS’ official store, the Play Store, turning our Android device into a botnet.

Security researchers have discovered a new batch of malicious apps on Google Play, some of which have been downloaded and installed on around 2.6 million devices. The apps posed as legitimate, modifying the look of the characters in Minecraft: Pocket Edition. However, the software’s real objective was to link the affected devices to create a botnet.

So, once these malicious apps were installed on a target Android device, they would connect to a C&C server, which requests that the app open a socket and wait for a connection from a specified IP address on a specified port. This way, once the connection was established, the app was instructed to connect to another server from which it received a list of ads and associated metadata.

Although the apps were used for generating illegitimate ad revenue, the botnet herders could have forced the affected devices to participate in attacks. This is because the proxy topology is highly flexible, so it could easily be extended to take advantage of a number of network-based vulnerabilities, potentially aiming at crossing the devices’ security boundaries.


This way, besides enabling arbitrary network attacks, this infection could also be leveraged to mount a distributed denial of service (DDoS) attack, according to the researchers involved.

An Android malware was hiding in eight Play Store apps

This malware, dubbed Sockbot, was found hiding in eight apps available on the OS’ official store, Google Play Store, all of them offered by a single developer account. Actually, the author has done everything he could possibly do to hide their true nature from researchers and users. The fact that these malicious apps have been installed on hundreds of thousands, and some of them on millions, of devices shows how skillful the author is for this kind of activity.

The malicious code’s key strings are encrypted, so detecting this malware is much more complicated than it is in other cases. Moreover, the developer signs each app with a different key, which helps to avoid static analysis-based heuristics. It is easy to see how some mobile security solutions might have missed the app’s malicious nature. As for the users, they were unlikely to notice that the app was doing something inappropriate, as it did not show unexpected ads while apparently offering the alleged functionality.

Once the issue was discovered, the malicious apps were removed from Google Play, so the number of compromised devices is being reduced little by little.

Leave a reply