An all new Android malware family is seen and is called DressCode. This can be can be used as a proxy to perform various relay attacks inside corporate networks and thus steal the information from the servers previously considered secure.
The name of the malware came from its authors who have dressed-up the names of various games to figure out the malware name.
The security firm that discovered this threat,Check Point, says that they identified over 40 apps on the Google Play store that are infected with this malware, and also over 400 similar apps are distributed through unofficial third-party stores out there.
So far, the DressCode-infected apps have made their way into the Google Play Store since April 2016. But the Google has intervened and removed some apps during their Check Point.
According to the Google Play statistics, DressCode apps have infected between 500,000 and 2,000,000 users. With most of the downloads coming from their famous one with around 100,000 and 500,000 downloads just by itself.
Coming to the technical level, the DressCode malware has malicious code which hijacks the infected devices and connects them to their own botnet.
The Communications between the C&C server and malware are done using SOCKS proxy that is set up on the infected device. This proxy will allow the botnet operator to reach to even the firewalled networksc that are deep inside corporate infrastructure.
Attackers can use this scene to send malicious commands to the infected device, which could scan the network for any valuable information and the attacker could then steal, or escalate their access.
Before discovering DressCode, the Check Point team had found Viking Horde, a similar Android malware family that also focuses on delivering ads, by using a proxy to interconnect bots and their C&C server.
