“DressCode” is a new Android malware family that has been found on hundreds of apps in the Google Play Store. The name was derived from the popular “Dress Up” game app that was trojanized, or infected. Appthority has identified 63 different infected apps on the Google Play Store, the first dating back to Feb 15, 2016.
Security researchers did not see the first versions of DressCode-infected apps on Google Play until April, 2016. By August, 2016, a total of 40 infected apps were available in the Google Play Store and more than 400 were found in third party app stores. A recent blog post from Trend Micro shows the number of DressCode-infected apps has skyrocketed to 3,000 apps since then.
WHAT WE KNOW
The malicious behavior of “DressCode” is subtle but effective. Whenever a DressCode-infected app starts up, it talks to a C&C (Command and Control) server and gets the attacker’s IP address. DressCode uses a SOCKS proxy that allows an attacker to route network traffic through the mobile device. This is a commonly used technique by attackers to create fake traffic for ad revenue, or to launch distributed denial-of-service (DDoS) attacks from the infected mobile device.
This is particularly worrisome for enterprise customers as the SOCKS proxy can potentially be used to access corporate internal networks from the mobile device. This provides DressCode access to all the networks the mobile device is connected to, which could include internal servers that share sensitive documents and information. As a result, DressCode can be used by an attacker to exfiltrate corporate sensitive data through the mobile device. This is a serious threat.
In addition to implementing SOCKS proxy, DressCode shows other risky behaviors, which are flagged by Appthority’s Mobile Threat Protection solution. All 63 identified DressCode samples ask for location data. Twelve access the microphone and a few ask for SMS data, Call Log data and Address Book. Appthority has also identified aggressive advertisement-related behaviors in DressCode, such as displaying advertisements outside the apps, even when the devices are locked.
Although the malware was named after a “Dress Up” game, customers should be aware that NOT all the DressCode-infected apps feature a girly or cute theme of the popular “Dress Up” game. Twenty-seven of the apps are related to Minecraft, 4 to Snapchat, 3 to Subway Surfer, and 2 to Batman vs. Superman. It is common for malicious apps to pretend to be related to popular apps to drive more downloads.
Appthority has already identified over 60 unique samples of DressCode in our global database of apps installed on enterprise devices. This supports the widespread infection of apps that has been reported by Trend Micro.
Due to the high risk of DressCode-infected apps, Appthority recommends customers use our portal to identify any apps that have been infected by this malware and remove them from all devices in your enterprise environment.
Rules for detecting DressCode are now available in the Appthority portal and can be found under the new behavior called “Infected by DressCode”. Appthority customers can create an an app policy with the “Infected by DressCode” behavior or simply add that behavior to an existing app policy that captures security vulnerabilities or high risk behaviors. Further instructions can be found here.
There is little evidence of major DressCode exploits in the wild so far. But DressCode has established a malicious infrastructure on Android devices that could be activated in the future, in the same way Conficker was on legacy systems. We therefore rate this as a potentially critical issue, and any devices found with “Infected by DressCode” should be remediated immediately.
In addition, as a best practice, we advise our customers to encrypt all their corporate communication channels, and leverage certificate pinning on corporate apps. Encrypted channels prevent bots, like DressCode-infected devices, from sniffing important network information. We also advise monitoring the company’s network for unusual bot-like activities, such as sudden changes in network traffic, access to offshore IP addresses or illegitimate DNS addresses, and emails routing to servers other than designated corporate email servers.