Eight "skin apps" for changing the appearance of video-game characters in the Minecraft Pocket Edition for Android are wrapped in new malware that Symantec researchers have dubbed "Sockbot." Although the malware is currently being used to drive app users to ads, Sockbot's "highly flexible proxy topology" could also turn infected devices into bots, researchers say, and use those devices to launch distributed denial-of-service attacks and exploit a variety of network-based vulnerabilities.
Sockbot is thus named because its command-and-control server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. As researchers explain: "A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests."
The apps, developed by "FunBaster," are all available on Google Play, Android's official app store. Symantec estimates that between 600,000 and 2.6 million devices have been exposed.
Read more in Symantec's blog today.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.