Contained in these infected Google Play apps are highly camouflaged malware known as Android.Sockbot...
Google has booted eight infected google play apps from its Play marketplace, even though the apps have been downloaded as many as 2.6 million times. The industry giant took action after researchers found that the apps add devices to a botnet and can perform denial-of-service attacks or other malicious actions.
The stated purpose of the apps is to provide a skin that can modify the look of characters in the popular Minecraft: Pocket Edition game. Under the hood, the infected google play app contain highly camouflaged malware known as Android.Sockbot, which connects infected devices to developer-controlled servers. This is according to a blog post published Wednesday by researchers from Symantec. The malware mostly targets users in the US, but it also has a presence in Russia, Ukraine, Brazil, and Germany.
When the researchers ran an infected google play app in their laboratory, they found it establishing a persistent connection based on the Socket Secure (SOCKS) protocol to a server that delivers ads. The SOCKS proxy mechanism then directs the infected device to an ad server and causes it to request certain ads be displayed.
"This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and [it] could potentially span security boundaries,"the Symantec researchers wrote.
"In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack."
The post showed that one of the abusive apps was called Assassins Skins for Minecraft. The post didn't name the other seven apps. Google Play showed that the apps had been downloaded from 600,000 to 2.6 million times before they were removed.
Wednesday's post should serve as a reminder that Google is chronically unable to detect untrustworthy apps before allowing them into its official app bazaar. This puts Android users in a difficult predicament that requires them to carefully think through a list of considerations before installing an app. These considerations include how useful or valuable the app truly is, whether it comes from a recognized developer that has been operating for a long time, and whether other users have left comments reporting suspicious behavior. The vetting process is by no means foolproof, and for that reason, users in doubt should always choose not to install an app.
Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services.
Recently, we have seen regular uploads of it onto the Google Play store. Once notified by us, the Google Android Security team took prompt action to remove the suspicious apps (listed below) from the Google Play store.
This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We identified 17 different samples regularly uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified malicious apps.
In some of the Joker variants, the final payload delivered via a direct URL received from the command and control (C&C) server. In this variant, the infected Google Play store app has the C&C address hidden in the code itself with string obfuscation.