Yet again mobile malware is in the news with the appearance of DressCode. As we’ve seen many times in the past year, apps have become weaponized with malware and hosted on Google Play—hiding in plain sight.
Users download the app, unaware of the malicious payload hidden inside. And when security researchers notify Google, the offending apps are removed from Google Play, but the downloaded apps remain on user devices. In the case of DressCode, hundreds of thousands of downloads remain on user devices—enough to ensure that the malware was carried into enterprise environments in the US, Europe and Middle East.
Unlike some recent targeted malware threats, aimed only at political dissidents and other specific individuals, DressCode is a broad threat—aimed at all Android users. As such, it constitutes a much greater enterprise threat as we describe below.
Security researchers did not see the first versions of DressCode-infected apps on Google Play until April, 2016. By August, 2016, a total of 40 infected apps were available in the Google Play Store and more than 400 were found in third party app stores. A recent blog post from Trend Micro shows the number of DressCode-infected apps has skyrocketed to 3,000 apps since then. Some DressCode apps had over 100,000 downloads.
Appthority has already identified over 60 unique samples of DressCode in our global database of apps installed on enterprise devices. This is a real threat, and it’s active in enterprise environments. Once in an enterprise, DressCode can launch a DDoS attack, create fake traffic, and even exfiltrate data from internal servers. It might have a cute name, but it’s dangerous malware.
Due to the high risk of DressCode malware, Appthority has issued an Advisory to our customers that recommends they use our portal to identify any apps that have been infected by this malware and remove them from all devices in their enterprise environment. Rules for detecting DressCode are available in the Appthority portal, called “Infected by DressCode”. Appthority customers can create an app policy with the “Infected by DressCode” behavior or simply add that behavior to an existing app policy that captures security vulnerabilities or high risk behaviors.
A global telecommunications customer let us know the importance of having this type of real-time mobile threat protection:
“Appthority definitely showed their value with the DressCode malware, and the immediate response we received from their team about it. We found one user with a Blackberry Priv in Texas that had one of the infected apps, and it would have caused havoc if they had gone on the [company] intranet or used their VPN. If we didn’t have Appthority, we’d be in trouble.”
We should note that, in general, when malware such as this is discovered and reported, Google and Apple act responsibly to remove the offending apps quickly. But by then hundreds of thousands of downloads may already have occurred. These downloaded apps remain on user devices, despite having been removed from the App Store or Google Play. Appthority refers to these as Dead Apps, and identifies them through our Mobile Threat Protection solution. While not all Dead Apps are malware, a high enough percentage of them are—as is the case with DressCode—so we strongly recommend they be reviewed and remediated if there’s any doubt as to their legitimacy.