This is not a good week for Google, it seems.

After our mobile security experts repeatedly discovered adware on several apps on the Google Play store, our friends at Symantec have unearthed at least eight malicious apps that are found capable of adding affected mobile devices to a botnet. According to their blog post, the apps have been downloaded and installed onto 2.6 million smartphones, tablets, and possibly some IoTs.

Threat actors behind the bogus apps have banked on the popularity of Minecraft, a sandbox video game with a user base of 100 million. They specifically targeted Minecraft: Pocket Edition (PE), which launched in 2015. Symantec explained how the malicious apps work:

The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.

There is no functionality within the application to display ads.

Due to a large number of devices affected, it’s possible for the threat actors to also leverage them for DDoS attacks. This is not a new concept—using mobile devices to launch a crippling blow to websites and networks has been done before.

To minimize the possibility of downloading apps that are not behaving like they’re supposed to, consult our list of safe practices when using your mobile device. Meanwhile, users of Malwarebytes for Android who have updated to the latest version are already protected. We detect the malicious apps as Android/Backdoor.Clientor.fun.

Stay safe, everyone!