• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   DressCode Android Malware Finds Apparent Successor in MilkyDoor

DressCode Android Malware Finds Apparent Successor in MilkyDoor

  • Posted on:April 20, 2017 at 12:37 pm
  • Posted in:Malware, Mobile
  • Author:
    Mobile Threat Response Team
0

By Echo Duan and Jason Gu (Mobile Threat Response Engineers)

Mobile malware’s disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data. We recently found 200 unique Android apps—one of which had installs ranging between 500,000 and a million on Google Play—embedded with a backdoor: MilkyDoor (detected by Trend Micro as ANDROIDOS_MILKYDOOR.A).

MilkyDoor is similar to DressCode (ANDROIDOS_SOCKSBOT.A)—an Android malware family that adversely affected enterprises—given that both employ a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to. MilkyDoor, maybe inadvertently, provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies. Further, this is carried out without the user’s knowledge or consent.

While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.

Impact to Enterprises

MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.

The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.


Figure 1: A sample MilkyDoor-carrying app in Google Play


Figure 2: According to the app’s Google Play page, its number of installations already reached between 500,000 and 1,000,000.

A Better Version of DressCode?

The malicious code runs a process called android.process.s, disguised as an Android system package in order to draw attention away from it when running. Upon the Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude). It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host. The malware’s operators leverages Java Secure Channel (JSch), a common library that is a pure Java implementation of SSH2, to establish the SSH tunnel between the infected device and the attacker.


Figure 3: The structure of the malicious code


Figure 4: Running a process alone in AndroidManifest.xml

To use its port forwarding feature, MilkyDoor smuggles various types of Internet traffic into or out of a network. This can be employed to avoid network monitoring or sniffers, or even bypass firewalls on the Internet. In this case, the attacker’s server, as an SSH server, lets the infected apps connect while the server also listens to local ports. Through this tunnel, all traffic traversing this port will then be forwarded to the client host’s internal network.

DressCode was noted for building a proxy using the Socket Secure (SOCKS) protocol on Android devices in order to access internal networks. MilkyDoor leverages the SOCKS protocol and remote port forwarding via SSH to achieve dynamic port forwarding, which in turn allows data to traverse to all remote destinations and ports. Because the SSH tunnel uses Port 22, firewalls usually do not block traffic that go through this port; this enables data encryption of payloads transmitted over a network connection. In a nutshell, MilkyDoor’s routines resemble anonymizing and Internet censorship-bypassing services.



Figure 5: Code snapshots showing how MilkyDoor collects local IP details


Figure 6: MilkyDoor leveraging JSch library to carry out port forwarding through SSH tunnel


Figure 7: Infected mobile devices allow attackers to bypass firewall to breach internal servers

Retracing the MilkyDoor(s)

In-depth analysis of the malicious code within the software development kit (SDK) integrated in the apps indicate they were updated versions (1.0.6). Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.

Our research into MilkyDoor also pointed us to a traffic arbitrage service being advertised in a Russian bulletin board system (BBS). We construe that the SSH tunnel MilkyDoor builds is also used to create fake traffic and perpetrate click fraud to generate more revenue for the attackers. Delving further into one of the MilkyDoor-infected apps, we saw that the certificate used is linked to a high-profile cyberespionage/information theft campaign.

So how does it stack up to DressCode? While MilkyDoor’s backdoor capabilities—and the security risks entailed—can be deemed at par with DressCode’s, MilkyDoor’s techniques and routines reflect the apparent complexity its developers are inclined to utilize. Its way of blending in with normal network traffic (via dynamic port forwarding) to better hide its malicious activities, and the use of SSH tunnel to enable the encryption of payloads are just some of its notable highlights.

Mitigation

As mobile threats continue to diversify and mount up in scale and scope, businesses and end users must reinforce their security posture against threats like MilkyDoor. End users are recommended to be more prudent in terms of securing their mobile devices, especially if they are used to connect, access, and manage corporate networks and assets.

DressCode and MilkyDoor build a proxy using the SOCKS protocol on Android devices in order to access internal networks. The compromised device had to connect to an external port to get commands from the attacker’s command and control (C&C) server before the proxy is created. For BYOD devices, enterprises can deploy firewalls to help restrict, if not prevent, internal systems from accessing uncommonly used external ports—one of the key techniques employed by these kinds of threats.

Among the best practices mobile users can adopt include taking caution against suspicious apps, and keeping the device’s Operating System (OS) up-to-date. Android patches and updates are fragmented, however, so users should contact their device’s Original Equipment Manufacturer (OEM) for their availability. Organizations that adopt Bring Your Own Device (BYOD) programs in the workplace must maintain a balance between productivity, flexibility, privacy, and security. For IT and system administrators, a robust patch management process and better system restrictions/permissions policies can help improve security for BYOD devices.

Trend Micro Solutions

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ which is also available on Google Play. Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

We have disclosed our findings to Google and worked with them to take down the malicious apps on Google Play. A list of Indicators of Compromise (IoCs) comprising related hashes (SHA256) and C&C communication can be found in this appendix.

Updated as of April 23, 2017, 11:40PM, UTC-7:
We updated the first paragraph to indicate only one app had installs between 500,000 and one million.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: DressCodeDynamic Port ForwardingMilkyDoorSSH

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.