|
DressCode Android Malware Discovered on Google Play
|
by Alon Menczer and Alexander Lysunets, Check Point Research Team The Check Point mobile threat prevention research team discovered a new Android malware on Google Play, called “DressCode,” which was embedded into more than 40 apps, and found in more than 400 additional apps on third party app stores. Check Point notified Google about the malicious apps, and some have already been removed from Google Play.
The oldest apps were uploaded to Google Play on April 2016, where they remained undetected until recently. Some of the apps reached between 100,000 and 500,000 downloads each. Between 500,000 and 2,000,000 users downloaded the malicious apps from Google Play.
Similar to Viking Horde, DressCode creates a botnet that uses proxied IP addresses, which Check Point researchers suspect were used to disguise ad clicks and generate false traffic, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots can be used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.
Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to “sleep,” to keep it dormant until there’s a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it.
So, why should you be concerned about such malware?
Both Viking Horde and DressCode malware create botnets which can be used for various purposes, and even to infiltrate internal networks. Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations.
To demonstrate how this could be achieved, Check Point researchers created a video , showing how attackers could potentially use the DressCode malware to access an internal network and retrieve sensitive files from it.
Appendix – Package names found on Google Play
com.dark.kazy.goddess.lp com.whispering.kazy.spirits.pih com.shelter.kazy.ghost.jkv com.forsaken.kazy.game.house com.dress.up.Musa.Winx.Stella.Tecna.Bloom.Flora com.dress.up.princess.Apple.White.Raven.Queen.Ashlynn.Ella.Ever.After.High com.monster.high.Dracubecca.freaky.Fusion.draculaura com.dress.up.Cerise.Hood.Raven.Queen.Apple.White.Ever.After.Monster.High com.ever.after.high.Swan.Duchess.barbie.game com.cute.dressup.anime.waitress com.rapunzel.naughty.or.nice guide.slither.skins clash.royale.guide guide.lenses.snapchat com.minecraft.skins.superhero com.catalogstalkerskinforminecraft_.ncyc com.applike.robotsskinsforminecraft com.temalebedew.modgtavformcpe com.manasoft.skinsforminecraftunique com.romanseverny.militaryskinsforminecraft com.temalebedew.animalskinsforminecraft com.temalebedew.skinsoncartoonsforminecraft com.str.carmodsforminecraft com.hairstyles.stepbystep.yyhb com.str.mapsfnafforminecraft com.weave.braids.steps.txkw mech.mod.mcpe com.applike.animeskinsforminecraftjcxw com.str.furnituremodforminecraft com.vladgamerapp.skin.editor.for_.minecraft ru.sgejko.horror.mv com.vladgamerapp.skins.for_.minecraft.girls com.zaharzorkin.cleomodsforgtasailht com.temalebedew.ponyskins com.my.first.date.stories com.gta.mod.minecraft.raccoon com.applike.hotskinsforminecraft com.applike.serversforminecraftpe com.zaharzorkin.pistonsmod wiki.clash.guide mobile.strike.guide prank.calling.app sonic.dash.guide
2360 page views
|
|
|
|