Google Play上8款APP被感染Sockbot Android恶意软件,影响60-260万的设备。

BaCde  2414天前

最近出现了一种新的,流行的Android恶意软件(检测为Android.Sockbot),作为Google Play上的应用,将入侵设备添加到僵尸网络中。到目前为止,已经确定了至少有8个这样的应用程序,安装数量从60万到260万个设备。这种恶意软件主要针对美国的用户,同时,俄罗斯,乌克兰,巴西和德国都有存在。


We have encountered a new and highly prevalent type of Android malware (detected as Android.Sockbot) posing as apps on Google Play and later adding compromised devices into a botnet. So far we have identified at least eight such apps, with an install base ranging from 600,000 to 2.6 million devices. This malware appears primarily targeting users in the United States, but also has a presence in Russia, Ukraine, Brazil, and Germany.


Figure. One of the malicious apps posing as a skin app for Minecraft PE

The legitimate purpose of the apps is to modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, sophisticated and well-disguised attacking functionality is enabled. We set up network analysis of this malware in action and observed activity apparently aimed at generating illegitimate ad revenue.

The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.

There is no functionality within the application to display ads.

This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries. In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack.

There is a single developer account named FunBaster associated with this campaign. The malicious code is obfuscated and key strings are encrypted, thwarting base-level forms of detection. Additionally, the developer signs each app with a different developer key, which helps to avoid static analysis-based heuristics as well.

We notified Google Play of the presence of these malicious apps on October 6 and Google has confirmed these have been removed from the store.

Not all #Android #Minecraft PE skin apps are made equal. Some are malware in disguise. Choose carefully.CLICK TO TWEET


Symantec recommends mobile users observe the following security best practices:

  • Keep your software up to date.
  • Refrain from downloading apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by an app.
  • Install a suitable mobile security app, such as Norton Mobile Security, in order to protect your device and data.
  • Make frequent backups of important data.


Symantec and Norton products detect this malware as Android.Sockbot.