In a blog post on Wednesday, Symantec security researchers wrote they had discovered at least eight Google Play Store apps that functioned as fronts for a “new and highly prevalent type of Android malware” called Android.Sockbot. The apps in question presented themselves as skins for player characters in popular app Minecraft: Pocket Edition and boasted “an install base ranging from 600,000 to 2.6 million devices.”
According to Symantec, the apps in question did actually perform as intended, allowing Minecraft players to waltz around as various characters (like an “assassin”). But they also connected to a command & control server that bombarded the compromised Android devices with requests to connect via the Socket Secure (SOCKS) protocol to ad servers. However, Symantec wrote there is no functionality in the apps to actually display advertising, suggesting those servers could have been directing compromised devices to participate in a variety of malicious activities:
This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries. In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack.
Symantec wrote that the developer account behind all eight apps, FunBaster, had apparently encrypted parts of the code to thwart “base-level forms of detection.” Google Play has since removed the apps from the store.
As Ars Technica noted, the incident is yet more evidence Google Play is “chronically unable to detect untrustworthy apps before allowing them into its official app bazaar.” In just one other example in August, Google Play expelled at least three faux messaging apps it discovered were “capable of covertly taking photos, recording audio, retrieving call logs, and more.”
In June, CNET noted bogus apps were quickly becoming an industry-wide problem, including on Apple’s App Store and third-party networks. Many of the scammers appeared to be taking advantage of lax vetting procedures for newly added apps; one titled “Mobile protection: Clean & Security VPN” rose to the top 10 grossing productivity apps in the Apple store before it was revealed to be charging users some $99.99 a week.
In general, it might be a good idea to think about whether you really need that slightly sketchy-looking app from a mysterious developer before you load it onto a device that contains most of your personal information.