A new Android malware was discovered to be spreading not just as one app but as several apps on Google Play. Symantec has recently reported that a certain Android.Sockbot was detected coming from several apps that have already been installed in at least 600,000 to 2.6 million phones. Most of the users targeted are from the US but other countries like Germany, Brazil, Ukraine, and Russia have also been victimized.

The Symantec group noted a developer account only known as ‘FunBaster’ to be connected to this malware that was signed with different developer keys on every app. The malware may still be out there but Symantec already informed Google Play about the malicious apps a few weeks ago. The apps in question are said to have been deleted already so that’s good news.

What this malware did was to pose as a legit app. Once downloaded, it would connect to a server on port 9001 to receive commands. Requests were then made by the C&C server to open a socket for a connection to arrive. The main goal was for ads to come in. As long as the app was installed, it would command to connect to a server and then ads were launched. These devices that have been compromised by the malware were also added to botnet to then perform DDoS attacks.

Minecraft PE was one example that appeared to be legit but was actually malicious. Users may not realize it easily but it’s only a skin app that really showed unwanted ads. It’s just one app but if not removed or if this malware continues to spread, then more danger and vulnerabilities may begin.

SOURCE: Symantec