A recent discovery in mobile malware family been calling as “DressCode” has infected over 400 apps that are in distribution via Google Play, expert researchers at Trend Micro warns.
The malware “DressCode” has infected around 40 apps in Google play and 400 new apps distributed through third-party app stores, but the actual number of infected apps might be more. Security researchers at Trend Micro say that they detected the malware “DressCode” as ANDROIDOS_SOCKSBOT.A and discovered at least 3,000 Trojanized apps.
The malware “DressCode” is in the spread stealthily since April and distributes through various apps including skins, games, themes, and more. Since the malware is a small part of the infected app, it makes its detection rather difficult. However, Google took necessary steps to remove those apps from its server when Trend Micro notified Google in September.
Once the victim installs the infected application, the malware connects to its C&C (Command and Control) server, which is now a domain in newer versions of malware (as it was a hardcoded IP address before in previous ones). The device is then converted into a proxy that can transfer traffic between the internal server (the mobile is connected to) and the attacker.
Trend Micro explains the threat mechanism as, “A background service creates a Transmission Control Protocol (TCP) socket that connects the compromised device with the C&C server and sends a “HELLO” string to finish registering. Once the C&C server replies, a “CREATE, <Attacker IP>, <Port>” command prompts the device to establish a TCP connection between it and the attacker. It allows the device to receive commands from the attacker via the SOCKS protocol.”
According to Trend Micro, the malware “DressCode” infected device starts a TCP connection between C&C server and the attacker, as the device is behind the router. The moment the SOCKS proxy is established, the device is then able to run commands by the attacker to other servers in the connected LAN (the device is connected to), which allows the attacker to log-in to the internal servers located behind the router.
By leveraging mobile devices as a proxy, the device owner, and the connected network is exposed to the attacker. It could pose a significant threat to the businesses internal servers, researchers say.
Describing this scenario, the researchers said, “This malware (DressCode) allows threat actors to infiltrate a user’s network environment. If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard. With the growth of Bring-Your-Own-Device (BYOD) programs, more enterprises are exposing themselves to risk via carefree employee mobile usage.”
Because of the forced installed SOCKS proxy, the device is misused as a bot, if the attackers use them in BotNet attack i.e. DDoS attack or spam emails. The attackers could monetize the process through such attacks.
Such malware attacks can exploit weak routers connected to the device and expose IP addresses; the malware, in turn, can be used to exploit other vulnerabilities like connected cameras, researchers say.
Image credits: Trend Micro