Sockbot

Google has removed eight apps from the official Play Store that were infected with the Sockbot Android malware.

Discovered by Symantec researchers, these apps posed as player skin apps for the Minecraft Pocket Edition mobile game. The eight apps had a total installation count ranging from 600,000 to 2.6 million.

All were developed by the same developer, going by the name of FunBaster. Google removed the apps at the start of the month, on October 6. Google has the ability to remove infected apps from users' phones, so most apps have been removed from user devices.

Sockbot malware deployed SOCKS proxies on infected devices

The malware's name — Sockbot — comes from the malware's mode of operation. The malware installed and started a SOCKS proxy on all infected devices, and awaited commands from a remote botnet command and control (C&C) server.

Albeit Symantec researchers found infected devices receiving data about ads, such as ad type, screen size name, and other, the malicious apps where Sockbot was hidden did not contain functionality to display these ads.

In addition, researchers point out that the malware's author could easily change tune at any point in time and use the Sockbot to relay malicious traffic or carry out DDoS attacks instead.

Sockbot caught while still in development

All clues point to the fact that the Sockbot author was still putting the finishing touches on his malware at the time Symantec stumbled upon the malicious apps.

This is not the first large Android botnet discovered this year. At the end of August, a coalition of security firms banded together to take down the WireX botnet that was made up of over 120,000 infected Android devices and was actively used to launch DDoS attacks.

Another Android malware that built its own botnet and used it to first deliver ads and then launch DDoS attacks is GhostClicker, found spreading via 340 apps, some of which also made it on the Play Store.

Image credits: Richard Schumann, Dev Patel, Bleeping Computer