DressCode Android malware shows BYOD danger

(Scott Ackerman / Flickr)


Written by

If you don’t like “Bring Your Own Device” policies because you think they can endanger enterprise security, you’ll really hate DressCode malware — designed to infect Android devices through malicious apps on Google Play and defeat protections for networks they might be used to access.

DressCode malware, first discovered in August by Check Point in 400 apps — 40 of them on Google Play — has been growing exponentially over the summer. Last week, Trend Micro said the malware was now in more found in more than 3,000 trojanized apps, “including more than 400 detected on Google Play.” Infected apps ran the gamut from games and customization programs to software meant to improve the phone’s performance.

“The malicious code only makes for a small part of the app, making it difficult to detect,” write the Trend Micro researchers. The malware’s presence on Google Play is significant because most security advice urges users to download only from approved app stores. Google curates apps in Google Play and vets them with an automated scanner called Bouncer. The company did not respond to specific questions, but a spokesman said in an email that “We’re aware of the issue and we’ve taken the necessary actions” to remove the trojanized apps.

At the moment, the app seems to be primarily employed to build botnets of infected devices. But the method it uses makes networks the devices are connected to vulnerable to attack or data exfiltration as well, Trend Micro observes.

Once activated, the malware establishes a Socket Secure, or SOCKS, connection with a command and control server. SOCKS is an Internet protocol that allows circumvention of firewalls and other blocking measures. “The compromised device can act as a proxy that relays traffic between the attacker and internal servers the device is connected to — think of it as a tunnel,” write Trend Micro researchers.

As the researchers note, this would allow the malware’s authors “to infiltrate a user’s network environment. If an infected device connects to an enterprise network [as in a BYOD environment], the attacker can either bypass the [Network Address Translation] device to attack the internal server or download sensitive data using the infected device as a springboard.”

The Trend Micro post says 82 percent of businesses implement BYOD or otherwise let employees use personal devices for work-related functions — making them potentially vulnerable to DressCode.

“With the growth of BYOD programs, more enterprises are exposing themselves to risk via carefree employee mobile usage,” the post concludes.

-In this Story-

analysis, Android, Check Point, malware, Trend Micro