Google Play again found the malware that integrated infected devices into an advertising botnet

Experts at Symantec found in the applications from Google Play malware Sockbot

Experts at Symantec found in the applications from Google Play malware Sockbot, which combined infected devices into a botnet. As a result, in early October 2017, eight programs from the developer FunBaster, downloaded from 600,000 to 2.6 million times, were removed from the official application catalog. It is worth noting that all applications were signed by different keys of developers in order to avoid detection. Since Google has the ability to remove dangerous applications from user devices, most applications have already been removed from there.

The worm spread in various applications, including legitimate, at first glance, skins for Minecraft: Pocket Edition (PE). However, malware developers secretly earned money on their users.

The name Sockbot, in fact, explains the operation principle of the detected malware. The malware installed on infected SOCKS-proxy devices, and then waited for commands from the management server. Researchers write that the main function of Sockbot was the display of advertising, data about which it received from its operators. Nevertheless, Symantec analysts believe that the Malvari authors could at any time re-profile their “product” and use it to implement DDoS attacks or proxy for malicious traffic.

Mostly from Sockbot, users from the United States were affected, but there were also victims from Russia, Ukraine, Brazil and Germany.

Let me remind you that today it became known that Google has launched a bug bounty program for third-party applications on Google Play, but adware, fake applications and frank malware under the terms of the program are not yet covered.