Malicious Minecraft Apps Turn Android Devices into Botnet

Security researchers from Symantec have discovered at least eight apps in the Google Play Store infected with the Sockbot malware, which allows devices to be connected to a botnet and used for DDoS attacks. According to the researchers, these apps were downloaded between 600,000 and 2.6 million times. The malicious campaign primarily targets users in the United States, Russia, Ukraine, Brazil, and Germany.

At first glance, the apps appear to be designed to change the appearance of characters in Minecraft: Pocket Edition. However, in the background, they contain complex and well-hidden malicious functionality. During their analysis, researchers found activity aimed at illegally generating revenue through hidden advertising.

To receive commands, the app connects to a command-and-control (C&C) server via port 9001. The C&C server sends a command to open a socket using the SOCKS protocol and wait for a connection at a specified IP address. The app then receives a command to connect to a target server. Once connected, the app receives a list of ads and related metadata (such as ad type and screen size). Using the SOCKS proxy, the app connects to the ad server and sends ad requests. The app itself does not have the functionality to display ads.

According to the researchers, this proxy mechanism can be used to exploit various vulnerabilities and conduct not only network attacks but also DDoS attacks.

The researchers found that only one developer account, named FunBaster, is associated with this campaign. They were unable to obtain more detailed information about the developer because the malicious code in the apps is obfuscated and key strings are encrypted. Additionally, the author signs each app with a different key, making identification through static analysis more difficult.

Google has already removed the malicious apps from the Play Store.