Malware on the Google Play Store can be both common and devastating despite Google's best efforts to secure it, and the Sockbot malware, one that was found in 8 different apps and can add a user's device to a botnet, is the latest example. The apps that the malware found its way into have managed to give it a combined user base of between 600,000 and 2.6 million users, according to Symantec's estimates. All of the apps in question were skin apps for Minecraft Pocket Edition, and they have been removed. Activity in regards to this particular malware seems to be spread across the United States, Russia, Ukraine, Brazil, and Germany.
All of the malicious apps came from a single developer by the name of FunBlaster, but the apps are each signed with a different developer key, making the automatic tracing and reviewing his app publishing history a bit more difficult. The app uses port 9001 and a SOCKS proxy to connect to a command and control server, which then launches a number of ads, but never displays them. Along with surreptitious ad revenue, the malware also adds in a user's device to a single botnet consisting of all infected users, though the purpose of that botnet is as yet unclear. The actual malicious code is well-hidden, and many bits of it are actually encrypted. This means that the command server can see the instructions, as can the target device while holding the unique key, but Google's automated malware scanners cannot.
This malware is certainly not the first to hit the Play Store, nor will it be the last. One thing about it that is somewhat unique, however, is its mysterious approach to looping devices into a botnet. Upon examination, there did not seem to be any instructions for the botnet going out, as if the creator was waiting for the right time to utilize the botnet, or waiting for a specific use case to arise. While putting devices in a botnet and having them do things like launch DDOS attacks or mine bitcoin is a fairly common route for mobile malware, having the botnet sit and wait for instructions is somewhat rare, and a bit foreboding.