- There is a need to understand its impact on Indian Enterprises
- This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks
- Trend Micro notified Google Play of the threats in September, and they took necessary steps to remove the compromised apps.
Trend Micro’s Mobile App Reputation Service has counted 16.6 million malware detections as of August 2016, a 40% leap from detections listed in January. The Android platform continues to be particularly susceptible, with one specific malware family called “DressCode” steadily and stealthily spreading since April before reports about it surfaced in August. This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.
Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps. The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 detected on Google Play. The malicious code only makes for a small part of the app, making it difficult to detect. The apps found range from recreational types like games, skins, and themes to phone optimization boosters. Trend Micro notified Google Play of the threats in September, and they took necessary steps to remove the compromised apps.
Multiple threats possible with DressCode
- This malware allows threat actors to infiltrate a user’s network environment. If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard. With the growth of Bring Your Own Device (BYOD) programs, more enterprises are exposing themselves to risk via carefree employee mobile usage. According to Trend Micro data, 82% of businesses implement BYOD or allow employee personal devices for work-related functions. While this program can increase employee productivity, it can also make companies vulnerable to malware like DressCode.
- The malware installs a SOCKS proxy on the device, building a general purpose tunnel that can control and give commands to the device. It can be used to turn devices into bots and build a botnet, which is essentially a network of slave devices that can be used for a variety of schemes like distributed denial-of-service (DDoS) attacks—which have become an increasingly severe problem for organizations worldwide—or spam email campaigns. The botnet can use the proxied IP addresses also generated by the malware to create fake traffic, disguise ad clicks, and generate revenue for the attackers.
- A compromised mobile device can also be used to reach other devices connected to the same home network. A weak home router password will make it easier for an attacker to discover the IP address of other connected devices and establish control. For example, an IP camera connected to the same router as the mobile device would be vulnerable and could expose users to privacy risks—potentially attackers could access and record the video feed.
- While DressCode’s infection methods and behavior isn’t unique, the number of Trojanized apps that found their way to a legitimate app store is certainly significant. In response to the growing threat, here are some general safety tips to prevent malware from compromising your device:
Check your apps. If you are downloading a new app, make sure it’s from a legitimate app store. Check reviews online and on the download page, and do a little research to make sure it’s not a malicious app.
- Update regularly. Make sure your operating system is updated. The latest patches can ensure that the latest identified vulnerabilities are fixed.
- Be aware of the risks of rooting. Rooting removes security restrictions and safeguards specifically placed by manufacturers to keep your device protected. The system will be more vulnerable to malware and other dangerous code if the device is rooted.
- Avoid unsecured Wi-Fi. This will reduce the risk of threat actors connecting to your phone without your knowledge. Also, make sure to disable the option on your device that connects automatically to available Wi-Fi.
- Use a Virtual Private Network (VPN). If you do need to connect to public Wi-Fi, make sure to use a VPN. It secures your devices’ Internet connection and protects the data you’re sending and receiving through encryption.
Users can also benefit from layered mobile security solutions such as Trend Micro™ Mobile Security. The solution has a malware blocker feature that bars threats from app stores before they can be installed and cause damage your device or data. Enterprises should invest in solid mobile device management solutions. Trend Micro™ Safe Mobile Workforce™ offers a virtualized mobile infrastructure where company data is securely stored on corporate servers and separated from personal apps and data.
Trend Micro has already detected samples that infected enterprise users in the United States, France, Israel, and Ukraine—with still more being detected in other countries. These users can successfully avoid the threat with Trend Micro™ Mobile Security for Enterprise. This solution includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.