Threats to mobile users have grown quickly in the span of only a few months. Trend Micro’s Mobile App Reputation Service (MARS) has counted 16.6 million malware detections as of August 2016, a 40% leap from detections listed in January. The Android platform continues to be particularly susceptible, with one specific malware family called “DressCode” steadily and stealthily spreading since April before reports about it surfaced in August. This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.
Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps. The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 detected on Google Play. The malicious code only makes for a small part of the app, making it difficult to detect. The apps found range from recreational types like games, skins, and themes to phone optimization boosters. Trend Micro notified Google Play of the threats in September, and they took necessary steps to remove the compromised apps.
Figure 1. According to its Google Play page, this app has been installed 100,000 – 500,000 times.
Figure 2. The structure of the malicious code
Multiple threats possible with DressCode
Once the Trojanized app is installed, DressCode connects with its command and control (C&C) server—in earlier versions the malware authors used a hardcoded IP address for its C&C server, but it has since been replaced by a domain. A background service creates a Transmission Control Protocol (TCP) socket that connects the compromised device with the C&C server and sends a “HELLO” string to finish registering. Once the C&C server replies, a “CREATE, <Attacker IP>, <Port>” command prompts the device to establish a TCP connection between it and the attacker. This allows the device to receive commands from the attacker via the SOCKS protocol.
The compromised device can act as a proxy that relays traffic between the attacker and internal servers the device is connected to—think of it as a tunnel. Since the device is behind the router, it initiates a TCP connection to the C&C server and then another TCP connection to the attacker. After the SOCKS proxy is set up, it can forward commands from the attacker to other servers in the same LAN. The process allows an attacker to connect to its server, even if the internal servers are also located behind the router.
Figure 3. Received commands from the C&C server
Figure 4. Set up a SOCKS proxy to relay traffic between the attacker and internal server
This general purpose tunnel can be used for different purposes, and the device owner—as well as any network he is connected to—is exposed to a variety of security risks.
- This malware allows threat actors to infiltrate a user’s network environment. If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard. With the growth of Bring Your Own Device (BYOD) programs, more enterprises are exposing themselves to risk via carefree employee mobile usage. According to Trend Micro data, 82% of businesses implement BYOD or allow employee personal devices for work-related functions. While this program can increase employee productivity, it can also make companies vulnerable to malware like DressCode.
Figure 5. Infected mobile devices allow clients to bypass a NAT device and attack internal servers
- The malware installs a SOCKS proxy on the device, building a general purpose tunnel that can control and give commands to the device. It can be used to turn devices into bots and build a botnet, which is essentially a network of slave devices that can be used for a variety of schemes like distributed denial-of-service (DDoS) attacks—which have become an increasingly severe problem for organizations worldwide—or spam email campaigns. The botnet can use the proxied IP addresses also generated by the malware to create fake traffic, disguise ad clicks, and generate revenue for the attackers.
Figure 6. Large botnets can launch powerful DDoS attacks against enterprises and organizations.
- A compromised mobile device can also be used to reach other devices connected to the same home network. A weak home router password will make it easier for an attacker to discover the IP address of other connected devices and establish control. For example, an IP camera connected to the same router as the mobile device would be vulnerable and could expose users to privacy risks—potentially attackers could access and record the video feed.
Figure 7. Privacy becomes a concern as devices like IP cameras can be hacked
While DressCode’s infection methods and behavior isn’t unique, the number of Trojanized apps that found their way to a legitimate app store is certainly significant. In response to the growing threat, here are some general safety tips to prevent malware from compromising your device:
- Check your apps. If you are downloading a new app, make sure it’s from a legitimate app store. Check reviews online and on the download page, and do a little research to make sure it’s not a malicious app.
- Update regularly. Make sure your operating system is updated. The latest patches can ensure that the latest identified vulnerabilities are fixed.
- Be aware of the risks of rooting. Rooting removes security restrictions and safeguards specifically placed by manufacturers to keep your device protected. The system will be more vulnerable to malware and other dangerous code if the device is rooted.
- Avoid unsecured Wi-Fi. This will reduce the risk of threat actors connecting to your phone without your knowledge. Also, make sure to disable the option on your device that connects automatically to available Wi-Fi.
- Use a Virtual Private Network (VPN). If you do need to connect to public Wi-Fi, make sure to use a VPN. It secures your devices’ Internet connection and protects the data you’re sending and receiving through encryption.
Users can also benefit from layered mobile security solutions such as Trend Micro™ Mobile Security. The solution has a malware blocker feature that bars threats from app stores before they can be installed and cause damage your device or data. Enterprises should invest in solid mobile device management solutions. Trend Micro™ Safe Mobile Workforce™ offers a virtualized mobile infrastructure where company data is securely stored on corporate servers and separated from personal apps and data.
Trend Micro has already detected samples that infected enterprise users in the United States, France, Israel, and Ukraine—with still more being detected in other countries. These users can successfully avoid the threat with Trend Micro™ Mobile Security for Enterprise. This solution includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.
Related to SHA1s detected as ANDROIDOS_SOCKSBOT.A:
Updated on September 29, 2016, 08:50 AM (UTC-7)
TCP connection details updated.
Updated on October 4, 2016, 01:02 AM (UTC-7)
This post was updated to clarify that Trend Micro notified Google Play prior to publication, and the response of Google Play.