- Jul 22, 2014
- 2,525
A new Android malware family called DressCode can be used as a proxy to relay attacks inside corporate networks and steal information from servers previously considered secure.
The malware's name comes from the countless of dress-up games in which DressCode's authors have hidden their malicious code.
Check Point, the security firm that discovered this threat, says it identified over 40 apps on the Google Play store infected with malware, and over 400 similar apps distributed via unofficial third-party stores.
DressCode infected at least half of million Android devices
DressCode-infected apps made their way on the Google Play Store starting with April 2016, but Google has intervened and removed the apps at Check Point's behest.
According to Google Play statistics, DressCode apps infected between 500,000 and 2,000,000 users, with one of the most successful apps being downloaded between 100,000 and 500,000 times just by itself.
At the technical level, the DressCode malware includes malicious code that hijacks infected devices and connects them to a botnet.
The malware acts like a beacon that constantly communicates with the botnet's command and control (C&C) server. Whenever the botnet's author decides on what malicious actions to execute, he just pings the desired devices and sends them the malicious code to execute
DressCode transforms infected devices in proxy servers
Communications between the C&C server and the malware is carried out via a SOCKS proxy set up on the infected device. This proxy allows the botnet operator to reach even firewalled networks, deep inside corporate infrastructure.
Attackers could use this scenario to send malicious commands to the infected device, which could scan the network for valuable information the attacker could steal, or escalate his access.
This case is a worst-case scenario and most likely DressCode operators use the infected devices to deliver ads and perform click-fraud for their personal financial gain.
Before discovering DressCode, the Check Point team had found Viking Horde, a similar Android malware family that also focuses on delivering ads, by using a proxy to interconnect bots and their C&C server.
Read more: DressCode Android Malware Found in over 40 Google Play Store Apps
The malware's name comes from the countless of dress-up games in which DressCode's authors have hidden their malicious code.
Check Point, the security firm that discovered this threat, says it identified over 40 apps on the Google Play store infected with malware, and over 400 similar apps distributed via unofficial third-party stores.
DressCode infected at least half of million Android devices
DressCode-infected apps made their way on the Google Play Store starting with April 2016, but Google has intervened and removed the apps at Check Point's behest.
According to Google Play statistics, DressCode apps infected between 500,000 and 2,000,000 users, with one of the most successful apps being downloaded between 100,000 and 500,000 times just by itself.
At the technical level, the DressCode malware includes malicious code that hijacks infected devices and connects them to a botnet.
The malware acts like a beacon that constantly communicates with the botnet's command and control (C&C) server. Whenever the botnet's author decides on what malicious actions to execute, he just pings the desired devices and sends them the malicious code to execute
DressCode transforms infected devices in proxy servers
Communications between the C&C server and the malware is carried out via a SOCKS proxy set up on the infected device. This proxy allows the botnet operator to reach even firewalled networks, deep inside corporate infrastructure.
Attackers could use this scenario to send malicious commands to the infected device, which could scan the network for valuable information the attacker could steal, or escalate his access.
This case is a worst-case scenario and most likely DressCode operators use the infected devices to deliver ads and perform click-fraud for their personal financial gain.
Before discovering DressCode, the Check Point team had found Viking Horde, a similar Android malware family that also focuses on delivering ads, by using a proxy to interconnect bots and their C&C server.
Read more: DressCode Android Malware Found in over 40 Google Play Store Apps