Minecraft Botnet: Android Apps Hijacked By Malware For Attacks

A number of apps available through Google Play Store purporting to be companion services for the popular game Minecraft actually house malicious software that will compromise a device and use it as part of a massive botnet.

Cybersecurity firm Symantec first discovered the scheme, which includes a total of eight trojan horse-like Minecraft apps infected with malware. The apps range in popularity but generally have between 600,000 and 2.6 million installations.

The popularity of Minecraft, which boasts more than 122 million copies sold and about 40 million active users each month, no doubt has helped drive those download figures as players are regularly in search of resources that will help them create and progress within in the game.

Those many unfortunate Minecraft fans simply looking for some help or additional skins for the game instead wandered into the attackers’ trap. The Minecraft themed apps sitting in Google’s official marketplace for mobile apps were laced with the Sockbot malware.

According to Symantec’s researchers, the fake Minecraft apps were originally used to generate ad revenue for the attackers by serving the infected device malicious and legitimate advertisements that, when viewed or clicked, would put money in the pocket of the attackers.

The malware has since been modified to do even more damage than just serve annoying ads—it can also completely enslave a victim’s device and allow a threat actor to use the smartphone in a botnet attack.

In such an attack, the threat actors responsible for the malware can coordinate thousands if not millions of infected devices and use them to flood a single target with activity. That can create a denial of service attack that can knock a website or service offline and make it unavailable to or unusable for others.

"This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries," Symantec researchers wrote. "In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack."

The malicious apps responsible for the botnet attack all came from one developer known as FunBaster. The developer managed to obscure the malicious code in its apps by encrypting the code to bypass Google’s automated scans.

Still, the presence of the malware-laced apps in the Google Play Store raises questions about Google’s security protocols, which have been tightened in recent months but continue to allow attackers to sneak by unnoticed and rack up millions of downloads.

Earlier this year, an estimated 600,000 Android devices were discovered to be infected by malware hidden in guides for popular mobile games and may be used to create a botnet to generate ad revenue for the attackers.

That attack, dubbed FalseGuide, was spread through a number of apps that presented themselves as guides for popular mobile games, including Pokémon Go, FIFA, World of Tanks and a number of LEGO titles—all of which were also available through the Google play Store.