Symantec discovered new malware in popular Google Play apps that compromises devices, enlists them in a botnet, and uses them to generate ad revenue. The company said these apps have been collectively installed on between 600,000 and 2.6 million devices.
According to Symantec, the malware is disguised as apps that allow you to change how characters look in Minecraft: Pocket Edition. All of the apps were made by someone going by the pseudonym FunBaster, although they were all signed with different developer keys, which makes it harder for Google Play to automatically flag them as malware. The code is also obfuscated, and its key strings are encrypted to further help avoid detection.
Symantec explained how the malware works in a blog post (opens in new tab):
The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.
This setup allows the apps to garner illegitimate ad revenue. It can also be used to conduct DDoS attacks, however, because the devices are under FunBaster's control. (There's a sentence we didn't expect to write.) That wouldn't be a surprise—DDoS attacks have become more and more common over the last few years, with attackers taking down popular websites, games, and services with increasingly large bot armies.
The ease with which someone can assemble these bot armies also makes DDoS mitigation services and other security features more important. Companies like CloudFlare have recognized this necessity by improving their networks and offering unlimited mitigation to all their customers. Other companies have worked to stop botnets from generating ill-gotten ad revenues by making it seem like ads have been viewed many times.
Here's the good news: Symantec informed Google about the apps on October 6, and the malicious software was removed from the company's app store (no capitals). Similar malware is sure to pop up—Android is simply too large a platform to ignore—but at least these particular apps won't be able to capitalize on people's (particularly children's) love for Minecraft: Pocket Edition.