The Malware That Targets Android Phones on Corporate Networks

No one has ever solved the BYOD dilemma. If you don’t yet know, BYOD stands for Bring Your Own Device. It refers to a policy which allows employees to use their own smartphones, or other devices, to connect to a corporate network. The dilemma is that giving employees such freedom exposes the corporate network to the employee’s poor browsing habits, which may allow malware to penetrate corporate cyber security barriers and wreak havoc. On the other hand, putting restrictions on an employee’s private phone use is often considered an affront. This being the case, some employees will inevitably take measures to subvert any restrictions while continuing to connect to the corporate network. Corporations spend a lot of time and money trying to monitor these privately owned devices to prevent a breach.

Criminals have long been aware of the fact that smartphones connected to corporate networks (endpoints) offer the best entranceways into those networks. They have numerous ways to exploit these weak points. They also prefer to attack Android OS devices. Why? It’s a matter of numbers. Android devices vastly outnumber iOS devices, as can be seen in the chart below. So hackers, for the most part, go where the money is.
android market

There are a number of ways attackers can install malware on a device, and there is no need to go through all of these here. Recently, one of the most popular ways to take control of an Android device is by infecting a legitimate app and placing it on Google Play. This is what the malware known as, DressCode, did back in 2016. But this malware had more in mind than just stealing passwords from phone owners. It wanted to penetrate any network that the phone was connected to.

DressCode did this by compromising routers through which all devices on a network were connected. The criminals were, then, part of the network and could send what they found within this network directly to their own command and control (C&C) servers. The diagram below from Trend Micro shows some of the details of this process.

dresscode diagram

Keep in mind that any malware that infects a network can incorporate all of the devices on it into a botnet which could be used for DDoS attacks or spamming campaigns. It is important to note that such things as printers and cameras can also be part of such a network. Attackers could remotely view what is happening in an office through a network connected camera, for example.

Trend Micro’s exposure of DressCode enabled Google to detect its code on infected apps. That should have been the end of the problem, but it was not. DressCode came back in 2017 in new garb, which Trend Micro referred to as, MilkyDoor. In April of 2017, Trend Micro reported that it had found 400 infected Android apps on Google Play which had been downloaded up to a million times. MilkyDoor was a DressCode upgrade in that it encrypted all communications with its C&C, making it difficult to detect. The apps that were infected were legitimate, popular apps that had been repackaged with the malware. The encrypted communications made unusual activity difficult to detect, as the apps worked as expected. As Trend Micro noted, “MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.” It could easily be leveraged into a ransomware attack platform.

But again, once MilkyDoor’s secrets were exposed, Google Play was able to remove any infected apps. That should have been the end of the story, but, for some reason, it wasn’t. Recently, DressCode, or at least a variation on it, has returned with a vengeance.

Earlier this year, it was reported that DressCode may have built a 4 million device botnet. This may not be so surprising if it weren’t for the way this botnet could be used to penetrate corporate networks. DressCode uses a SOCKS proxy to make these devices effectively tunnel through any firewalls to communicate with the attackers directly. The attackers are, then, in a position to compromise routers and enter any network these endpoints may be connected to without being detected. Since no encryption is used on this recent version of the botnet, the compromised devices are open to any other attackers who are interested in them.

Back in November, Symantec noted unusual activity in Google Play when it found 8 apps that contained malware which looked like it was designed to build botnets. At that time, they pointed out that these apps had the unusual feature of building connections through a SOCKS proxy. They, thus, called this malware, Android.Sockbot. In fact, it was DressCode. It’s purpose was to establish an ad-generating botnet. “The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.” Since up to 2.6 million downloads of these apps occurred, that meant a lot of revenue from a large ad botnet. Below is an example of what is contained in these infected apps. Notice the permissions that it requires.

funbaster permissions

The developer of these ads, FunBaster, is no longer found on Google Play, but can still be located on sites like Apkpure. Oddly, searching for the developer on the site will not lead you to the developer’s page, which is shown below. I’m not sure why this is the case.


The app promises, “various of minecraft skins for pe greatly transform your boring gameplay”, which may tip you off on the validity of the app. I ran one of these apps through VirusTotal where only 3 of 62 malware detection programs found problems with it.

funbaster detected

It appears to originate in, of all places, Russia.

With over 4 million devices connected to networks, it’s pretty clear that DressCode isn’t going away anytime soon, With free access to the botnet for any interested private or state-run hacking group, it is only a matter of time before these infected Android devices do more than just spread advertising. It’s simply too sophisticated to escape the attention of those who have more nefarious purposes in mind.

Now, back to BYOD. Despite these impending attacks on Android endpoints, over 70% of companies are either implementing or planning to implement a BYOD policy. It is a perfect storm or, at least, a perfect opportunity for hackers looking for corporate information.

byod percent

The WorkPlay Solution

 What if you could solve the BYOD dilemma? What if you could allow your employees to use their Android smartphones to browse as carelessly as they’d like while still having access to your corporate network? And, best of all, what if it didn’t even matter if they were victimized by malware such as DressCode because that malware, even though it was on the same device connected to your network, could not access your network? How is all of this possible? Go here to find out.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s