• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   DressCode and its Potential Impact for Enterprises

DressCode and its Potential Impact for Enterprises

  • Posted on:September 29, 2016 at 8:50 pm
  • Posted in:Mobile
  • Author:
    Echo Duan (Mobile Threat Response Engineer)
0

Threats to mobile users have grown quickly in the span of only a few months. Trend Micro’s Mobile App Reputation Service (MARS) has counted 16.6 million malware detections as of August 2016, a 40% leap from detections listed in January. The Android platform continues to be particularly susceptible, with one specific malware family called “DressCode” steadily and stealthily spreading since April before reports about it surfaced in August. This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.

Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps. The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 detected on Google Play. The malicious code only makes for a small part of the app, making it difficult to detect. The apps found range from recreational types like games, skins, and themes to phone optimization boosters. Trend Micro notified Google Play of the threats in September, and they took necessary steps to remove the compromised apps.

Figure 1. According to its Google Play page, this app has been installed 100,000 - 500,000 times

Figure 1. According to its Google Play page, this app has been installed 100,000 – 500,000 times.

Figure 2. The structure of the malicious code

Figure 2. The structure of the malicious code

Multiple threats possible with DressCode

Once the Trojanized app is installed, DressCode connects with its command and control (C&C) server—in earlier versions the malware authors used a hardcoded IP address for its C&C server, but it has since been replaced by a domain. A background service creates a Transmission Control Protocol (TCP) socket that connects the compromised device with the C&C server and sends a “HELLO” string to finish registering. Once the C&C server replies, a “CREATE, <Attacker IP>, <Port>” command prompts the device to establish a TCP connection between it and the attacker. This allows the device to receive commands from the attacker via the SOCKS protocol.

The compromised device can act as a proxy that relays traffic between the attacker and internal servers the device is connected to—think of it as a tunnel. Since the device is behind the router, it initiates a TCP connection to the C&C server and then another TCP connection to the attacker. After the SOCKS proxy is set up, it can forward commands from the attacker to other servers in the same LAN. The process allows an attacker to connect to its server, even if the internal servers are also located behind the router.

new-figure-3

Figure 3. Received commands from the C&C server

new-figure-4

Figure 4. Set up a SOCKS proxy to relay traffic between the attacker and internal server

This general purpose tunnel can be used for different purposes, and the device owner—as well as any network he is connected to—is exposed to a variety of security risks.

  • This malware allows threat actors to infiltrate a user’s network environment. If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard. With the growth of Bring Your Own Device (BYOD) programs, more enterprises are exposing themselves to risk via carefree employee mobile usage. According to Trend Micro data, 82% of businesses implement BYOD or allow employee personal devices for work-related functions. While this program can increase employee productivity, it can also make companies vulnerable to malware like DressCode.

Figure 3. Infected mobile devices allow clients to bypass a NAT device and attack internal servers

Figure 5. Infected mobile devices allow clients to bypass a NAT device and attack internal servers

  • The malware installs a SOCKS proxy on the device, building a general purpose tunnel that can control and give commands to the device. It can be used to turn devices into bots and build a botnet, which is essentially a network of slave devices that can be used for a variety of schemes like distributed denial-of-service (DDoS) attacks—which have become an increasingly severe problem for organizations worldwide—or spam email campaigns. The botnet can use the proxied IP addresses also generated by the malware to create fake traffic, disguise ad clicks, and generate revenue for the attackers.

Figure 4. Large botnets can launch powerful DDoS attacks against enterprises and organizations

Figure 6. Large botnets can launch powerful DDoS attacks against enterprises and organizations.

  • A compromised mobile device can also be used to reach other devices connected to the same home network. A weak home router password will make it easier for an attacker to discover the IP address of other connected devices and establish control. For example, an IP camera connected to the same router as the mobile device would be vulnerable and could expose users to privacy risks—potentially attackers could access and record the video feed.

Figure 5. Privacy becomes a concern as devices like IP cameras can be hacked

Figure 7. Privacy becomes a concern as devices like IP cameras can be hacked

While DressCode’s infection methods and behavior isn’t unique, the number of Trojanized apps that found their way to a legitimate app store is certainly significant. In response to the growing threat, here are some general safety tips to prevent malware from compromising your device:

    1. Check your apps. If you are downloading a new app, make sure it’s from a legitimate app store. Check reviews online and on the download page, and do a little research to make sure it’s not a malicious app.
    2. Update regularly. Make sure your operating system is updated. The latest patches can ensure that the latest identified vulnerabilities are fixed.
    3. Be aware of the risks of rooting. Rooting removes security restrictions and safeguards specifically placed by manufacturers to keep your device protected. The system will be more vulnerable to malware and other dangerous code if the device is rooted.
    4. Avoid unsecured Wi-Fi. This will reduce the risk of threat actors connecting to your phone without your knowledge. Also, make sure to disable the option on your device that connects automatically to available Wi-Fi.
    5. Use a Virtual Private Network (VPN). If you do need to connect to public Wi-Fi, make sure to use a VPN. It secures your devices’ Internet connection and protects the data you’re sending and receiving through encryption.

Users can also benefit from layered mobile security solutions such as Trend Micro™ Mobile Security. The solution has a malware blocker feature that bars threats from app stores before they can be installed and cause damage your device or data. Enterprises should invest in solid mobile device management solutions. Trend Micro™ Safe Mobile Workforce™ offers a virtualized mobile infrastructure where company data is securely stored on corporate servers and separated from personal apps and data.

Trend Micro has already detected samples that infected enterprise users in the United States, France, Israel, and Ukraine—with still more being detected in other countries. These users can successfully avoid the threat with Trend Micro™ Mobile Security for Enterprise. This solution includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Related to SHA1s detected as ANDROIDOS_SOCKSBOT.A:

• 2ae29110c34efea0dedfa4d7d48055c4b8deaaa2
• 997d7978eb825111f62b6dfd00e26d952adac8c0
• cc2ebbcab305ffd52b18df7d61b35abd6abf7681
• 3c0182486e701d7d85641c6dc5ef1be79dcaa151
• 66824215afa64ea28a1956ad9be635c8a65b425a
• b48814f4c9e91a55d2b5b51313180ba105112022
• 12be3c11b3006ece729a49718384b135bff0aacd
• 3eeba05a2c15442422a70c67abaeb90062ac531d
• 5a2189ba300076f8370945ef854ddc7de1eb437c
• c36e87c2462ff4480a66a034646c220f76307379
• 6047d7271af3f629595e92a5e43722da19eee5ac
• 9de174e5883dc4ff34f10e5cb071775552a3caf2

Updated on September 29, 2016, 08:50 AM (UTC-7) 

TCP connection details updated.

Updated on October 4, 2016, 01:02 AM (UTC-7)

This post was updated to clarify that Trend Micro notified Google Play prior to publication, and the response of Google Play.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidDressCodegoogle play

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.