FacebookTwitterLinkedIn

SockBot Discovered in Development

Karolis Liucveikis Written by on

Recently we reported on the first ever ransomware which changes both the user PIN and encrypts user data on Android devices, discovered by researchers at ESET. In less than a week another piece of malware was discovered targeting Android users. SockBot, discovered by researchers at Symantec, is a Trojan which was used to target users who play Minecraft Pocket Edition mobile game. A total of 8 apps have been discovered carrying the Trojan on Google’s Play Store. The apps which were advertised as player skin apps and legitimate had total installation count ranging between 600,000 and 2.6 million.

All of the apps were created by the same developer going by the name of FunBaster. Google has since removed the apps. Fortunately, for those who may have been infected with SockBot, Google is able to remove infected apps from user’s mobile devices. This action taken by Google would have drastically reduced the number of possible infections. Using a popular app or game to try and lure users to download malicious apps is by no means a new trick. Given the popularity of Minecraft and a user base that consists of many younger users not aware of the dangers posed the creator picked a target easily susceptible to a malware attack.

SockBot deployed SOCKS proxies

Researchers named the malware SockBot as once the malware is installed it starts a SOCKS proxy on all infected devices and awaited commands from a remote botnet command and control (C&C) server. Socket Secure (SOCKS) is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS also provides a measure of authentication to allow only authorized user’s access to the server. SOCKS can also be used as a circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked. SOCKS interfaces are also infamously used in TOR onion proxy software.

Researchers discovered that the malware that infected devices receiving data about ads, such as ad type, screen size name, and others the malware did not contain functionality to display these ads. Researchers were at pains to say that the malware could easily be changed either to relay malicious traffic or carry out DDoS attacks instead.

SockBot appears to still be in development

Given that SockBot had no functionality in order to display ads in order to commit ad fraud, researchers concluded that the malware was discovered while still in development. This is not the first time large botnet infections have been found targeting Android users. WireX and GhostClicker have been added to the list of users should be aware of.

WireX, which surfaced at the end of August, prompted a coalition of security firms to team up and combat the threat which actively executing DDoS attacks. Security researchers from Akamai, CloudFlare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru worked to together to stop the threat posed. WireX was distributed in a similar method to SockBot but also included other third-party app vendors. Researcher’s discovered that the malware was capable of performing powerful DDoS attacks. Some attacks came to the attention of law enforcement as occasionally a ransom was demanded by the attackers. In mid-August, researchers managed to determine that the botnet was capable of launching DDoS attacks using bots spread across over 120,000 unique IP addresses.

sockbot discovered

Due to the collation of data by multiple security firms, information could be quickly utilized to remove over 300 Android apps carrying the malicious malware. Given that in the past one security firm did not necessarily have the resources available to stop a massive botnet event. By working together firms prevented the attackers from getting a foothold and becoming harder to eradicate. Once attacks get a foothold creators can evolve the malware to prevent detection and removal as has been seen with many banking Trojans.

GhostClicker, like the above two examples, was distributed via the Google Play Store. In total, the adware was found in 340 apps. GhostClicker worked by tapping on ads for the adware operator's profit. It does not tap on any ads, but only those served via Google's AdMob platform. GhostClicker utilized a second method to generate profits. GhostClicker also participates in traffic redirection affiliate schemes by showing popups and ads over other apps, trying to redirect users to various pages, such as YouTube links for example. Through analysis, it was determined that Ghostclicker was created solely for profit as it was not capable of stealing user information.

TrendMicro found GhostClicker in mundane apps such as app cleaners, memory boosters, file managers, QR and barcode scanners, multimedia recorders, multimedia players, battery chargers, and GPS navigation apps. In this instance, Google was not as fast in preventing further infections as the above examples. Experts reported all the 340 infected apps to Google, but 101 of these were still available in the Play Store by August 7, 2017.

How to prevent your Android device from being infected

Although SockBot was effectively dealt with by Google and Symantec, some attacks are cannot be easily detected initially or prevented from doing what its creators designed it for. To that extent, it is advised that users follow a few simple steps in order to prevent malware from infecting their mobile devices. These best practices include:

  • Never download apps from unauthorized or illegitimate apps stores.
  • Protect your phone with Passwords.
  • Immediately install all the OS once they are made available.
  • Don’t view or share sensitive personal information in the public Wi-Fi.
  • Choose the best antivirus app for your phone.
  • Read and understand the permissions before you download any new app.
  • Make sure you download apps that are scanned through Bouncer (internal malware scanner in android market).

Given Android’s popularity and market share of the mobile OS sector, believing that malware targeting Android user will disappear is naïve. As much as Google and security firms are actively trying to prevent attacks with the sheer amount of attacks and how advanced certain attacks may be this is not a possibility. Informing yourself as to dangers and making adjustments to how you use your mobile device can be the difference in whether you become infected or not.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog