DressCode Android Malware Finds Apparent Successor in MilkyDoor

By | April 20, 2017

By Echo Duan and Jason Gu (Mobile Threat Response Engineers)

Mobile malware’s disruptive affect on enterprises continues to see an uptick in prevalence as mobile gadgets develop to be an more and more most standard platform to flexibly entry and handle data. We just these days found 200 distinctive Android apps—with installs ranging between 500,000 and 1,000,000 on Google Play—embedded with a backdoor: MilkyDoor (detected by Trend Micro as ANDROIDOS_MILKYDOOR.A).

MilkyDoor is very like DressCode (ANDROIDOS_SOCKSBOT.A)—an Android malware household that adversely affected enterprises—given that each make use of a proxy using Secure Socket (SOCKS) protocol to understand a foothold into inside networks that contaminated cell gadgets join to. MilkyDoor, maybe inadvertently, gives attackers an reply to conduct reconnaissance and entry an enterprise’s weak providers by setting the SOCKS proxies. Further, that is carried out with out the user’s information or consent.

While MilkyDoor seems to be DressCode’s successor, MilkyDoor gives a pair of malicious methods of its own. Among them are its extra clandestine routines that allow it to bypass safety restrictions and conceal its malicious actions inside regular community traffic. It does so by means of the use of distant port forwarding through Secure Shell (SSH) tunnel by means of the generally used Port 22. The abuse of SSH helps the malware encrypt malicious visitors and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as leisure functions starting from type guides and books for kids to Doodle applications. We surmise that these are reputable apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their fame to draw victims.

Impact to Enterprises

MilkyDoor poses better hazard to companies as a consequence of how it’s coded to assault an enterprise’s inside networks, private servers, and ultimately, agency belongings and data. The method MilkyDoor builds an SSH tunnel presents safety challenges for an organization’s network, significantly in networks that combine BYOD devices. Its stealth lies in how the contaminated apps themselves don’t have delicate permissions and consequently exist contained in the gadget using common or seemingly benign communication behavior.

The repercussions are additionally significant. MilkyDoor can covertly grant attackers direct entry to pretty a little bit of an enterprise’s services—from web and FTP to SMTP inside the inside network. The entry can then be leveraged to ballot inside IP addresses as an reply to scan for available—and vulnerable—servers. The current spate of compromises in MongoDB and ElasticSearch databases, the place their householders had been additionally extorted, are a case in point. The servers had been public, which is exacerbated by the scarcity of authentication mechanisms in its inside databases.

Figure 1: A pattern MilkyDoor-carrying app in Google Play

Figure 2: According to the app’s Google Play page, its quantity of installations already reached between 500,000 and 1,000,000.

A Better Version of DressCode?

The malicious code runs a course of referred to as android.process.s, disguised as an Android system package deal as an reply to draw consideration away from it when running. Upon the Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to buy the device’s native IP address, collectively with the country, city, and its coordinates (longitude/latitude). It then uploads information to its command and administration (C&C) server, which replies with information in JavaScript Object Notation (JSON) format that comes with an SSH server’s user, password, and host. The malware’s operators leverages Java Secure Channel (JSch), a customary library that will very effectively be a pure Java implementation of SSH2, to establish the SSH tunnel between the contaminated gadget and the attacker.

Figure 3: The construction of the malicious code

Figure 4: Running a course of alone in AndroidManifest.xml

To use its port forwarding feature, MilkyDoor smuggles assorted types of Internet visitors into or out of a network. This might even be employed to maintain away from community monitoring or sniffers, and even bypass firewalls on the Internet. In this case, the attacker’s server, as an SSH server, lets the contaminated apps join whereas the server additionally listens to native ports. Through this tunnel, all visitors traversing this port will then be forwarded to the consumer host’s inside network.

DressCode was famous for constructing a proxy using the Socket Secure (SOCKS) protocol on Android gadgets as an reply to entry inside networks. MilkyDoor leverages the SOCKS protocol and distant port forwarding through SSH to attain dynamic port forwarding, which in flip permits information to traverse to all distant locations and ports. Because the SSH tunnel makes use of Port 22, firewalls typically do not block visitors that endure this port; this permits information encryption of payloads transmitted over a community connection. In a nutshell, MilkyDoor’s routines resemble anonymizing and Internet censorship-bypassing services.

Figure 6: Code snapshots exhibiting how MilkyDoor collects native IP details

Figure 7: MilkyDoor leveraging JSch library to maintain out port forwarding by means of SSH tunnel

Figure 8: Infected cell gadgets allow attackers to bypass firewall to breach inside servers

Retracing the MilkyDoor(s)

In-depth evaluation of the malicious code contained in the computer software enchancment package (SDK) built-in inside the apps level out they had been up thus far variations (1.0.6). Tracing the malware and the SDK revealed that they had been distributed as early as August 2016. The earlier iterations had been adware integrators, with the backdoor capabilities added in mannequin 1.0.3.

Our evaluation into MilkyDoor additionally pointed us to a visitors arbitrage service being marketed in a Russian bulletin board system (BBS). We construe that the SSH tunnel MilkyDoor builds may even be used to create faux visitors and perpetrate click on fraud to generate extra income for the attackers. Delving further into definitely one of many MilkyDoor-infected apps, we noticed that the certificates used is linked to a high-profile cyberespionage/information theft campaign.

So how does it stack as a lot as DressCode? While MilkyDoor’s backdoor capabilities—and the safety risks entailed—can be deemed at par with DressCode’s, MilkyDoor’s strategies and routines mirror the apparent complexity its builders are inclined to utilize. Its method of mixing in with regular community visitors (via dynamic port forwarding) to larger disguise its malicious activities, and the utilization of SSH tunnel to allow the encryption of payloads are simply a pair of of its notable highlights.


As mobile threats proceed to diversify and mount up in scale and scope, companies and finish clients should reinforce their safety posture in the direction of threats like MilkyDoor. End clients are helpful to be extra prudent by method of securing their cell devices, particularly if they’re used to connect, access, and handle agency networks and assets.

DressCode and MilkyDoor construct a proxy using the SOCKS protocol on Android gadgets as an reply to entry inside networks. The compromised gadget wished to hook up with an exterior port to get instructions from the attacker’s command and administration (C&C) server earlier than the proxy is created. For BYOD devices, enterprises can deploy firewalls to assist restrict, if not prevent, inside packages from accessing uncommonly used exterior ports—one of the important factor strategies employed by these types of threats.

Among the best practices cell clients can adopt embrace taking warning in the direction of suspicious apps, and protecting the device’s Operating System (OS) up-to-date. Android patches and updates are fragmented, however, so clients ought to contact their device’s Original Equipment Manufacturer (OEM) for his or her availability. Organizations that undertake Bring Your Own Device (BYOD) packages inside the office should protect a steadiness between productivity, flexibility, privacy, and security. For IT and system administrators, a sturdy patch administration course of and larger system restrictions/permissions insurance coverage policies can assist enhance security for BYOD devices.

Trend Micro Solutions

End clients and enterprises can additionally revenue from multilayered cell safety options comparable to Trend Micro™ Mobile Security for Android™ which might additionally be out there on Google Play. Trend Micro™ Mobile Security for Enterprise gives device, compliance and software management, information protection, and configuration provisioning, as effectively as to protects gadgets from assaults that leverage vulnerabilities, stopping unauthorized entry to apps, as effectively as to detecting and blocking malware and fraudulent websites.

We have disclosed our findings to Google and labored with them to take down the malicious apps on Google Play. A guidelines of Indicators of Compromise (IoCs) comprising associated hashes (SHA256) and C&C communication might even be found on this appendix.

DressCode Android Malware Finds Apparent Successor in MilkyDoor

Please check this great service at: http://www.test-net.org/services/proxy-checker/ or visit FREE SERVICES menu

[Total: 0    Average: 0/5]