New 'Sockbot' malware has 'highly flexible proxy topology' that might be leveraged for a variety of nefarious purposes.

Dark Reading Staff, Dark Reading

October 19, 2017

1 Min Read

Eight "skin apps" for changing the appearance of video-game characters in the Minecraft Pocket Edition for Android are wrapped in new malware that Symantec researchers have dubbed "Sockbot." Although the malware is currently being used to drive app users to ads, Sockbot's "highly flexible proxy topology" could also turn infected devices into bots, researchers say, and use those devices to launch distributed denial-of-service attacks and exploit a variety of network-based vulnerabilities.

Sockbot is thus named because its command-and-control server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. As researchers explain: "A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests."

The apps, developed by "FunBaster," are all available on Google Play, Android's official app store. Symantec estimates that between 600,000 and 2.6 million devices have been exposed.

Read more in Symantec's blog today

INsecurity-Logo-wEventInfo-Horizontal.png

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights