Sockbot Spread via 8 Apps on the Google Play Store

Do you use an Android device? If you do, are you cautious? Unfortunately, many Android users are pretty careless when it comes to the installation of new apps. Google Play Store comes pre-installed with every Android OS, and, generally, it is a reputable source that offers all of the apps you might ever need or want. The problem is that while Google Play Store is a source you can usually trust, it is also targeted by malware developers and distributors. One of the latest threats to hit the app store is the Sockbot Trojan that was found to camouflage itself as a legitimate app allegedly providing Android users with skins for “Minecraft: Pocket Edition.” In fact, there is not one but at least eight different apps introduced to Google app store users. According to the S. Aimoto and M. Zhang at Symantec, these apps have been downloaded between 600,000 to 2.6 million times. What does this Trojan do, and how should you remove it? These are the main questions addressed in this report.

The eight malicious apps hiding Sockbot malware have already been taken down from the Google Play Store, and so Android users who have not downloaded them do not need to worry about them specifically. That being said, similar apps could be created in the future, and there are some features that can give away the threat. One of the malicious apps was called “Assassins skins for Minecraft,” and it was offered by FunBaster. Although harmless companies could be offering additions to apps created by other companies (in this case, Mojang), generally, it is a good idea to do some investigation. If you are not familiar with the app developer, you need to do your research, and if there is anything suspicious, interacting with the content offered by it might not be such a good idea. Another thing you have to be extremely cautious about is the permissions that you give every time you download a new app. According to Symantec analysis, the permissions linked to the malicious Sockbot Trojan-representing app included accessing WIFI and networks, opening network connections, reading from and writing to external storage devices, starting upon device startup, and displaying alerts. While these kinds of permissions might be normal in some cases, they have nothing to do with the service offered, which is providing skins for Minecraft characters. In conclusion, it is best to avoid apps whose “permissions” do not make sense and enable intrusive activity.

Once the app linked to the Sockbot Trojan is installed on the Android device, it should be represented via a button with an image of a ninja. The name of the app should be “SKINS.” While the app itself looks harmless, the infection within it connects to a C&C server on port 9001 to retrieve a command that opens a socket using SOCKS, a protocol that enables communication between client and server using a proxy server. By doing this, the infection ensures that it successfully connects to a target server and receives a list of ads to display. Sockbot connects to an adware server and launches ad requests. This is how users might realize that something is not right because soon after the allegedly useful app is installed, various ads start showing up and interrupting the overall experience. Interacting with these ads could be dangerous if they promoted other malicious apps or links to corrupted websites. In general, it is most likely that the party profiting from promoting ads is unlikely to care about the content that is promoted.

While the obvious task for the malicious Sockbot Trojan is to showcase advertisements, it is believed that this threat could evolve if left unattended. Considering the privileges that it has, this threat could easily communicate with remote servers, download malicious components, and, potentially, perform DDoS (distributed denial of service) attacks. Also, security vulnerabilities could be exposed to infect the device and exploit the data within or even the resources in a malicious manner. Overall, nothing good can come out of a malicious Trojan, and ignoring it could be extremely dangerous. Even if you are able to circumvent irritating ads it displays, you do not want to let a malicious treat to jeopardize your virtual security.

If there is one thing clear in this entire situation, it is that your Android device is not protected efficiently. A trustworthy and up-to-date security app must be installed at all times to ensure that malicious apps and components are not hidden or launched without your permission. Security apps can also warn you against dangerous apps before you install them, as well as divert you from malicious websites when connecting to them. Of course, you cannot put all of the responsibility on security apps. You yourself need to be more cautious when downloading apps. Make sure you use only reliable sources, research the companies offering apps, and, of course, do some research to learn if the apps themselves can be trusted. It is also advised that you back up data because that is the only thing that could save you from permanent data loss.

The instructions below show how to remove Sockbot-related apps; however, you must employ a legitimate security app and run a full device scan to check if it is clean.

How to Remove Unwanted Android Apps

  1. Open the Settings menu on your Android device.
  2. Next, move to the Apps/Applications menu.
  3. Find the unwanted app and click it once to access App info.
  4. Tap the Uninstall button and clear any residual data if prompted about it.
  5. Scan your Android device to check if it is now clean.