Remember the Viking Horde malware that was embedded in several Google Play apps and went undetected for a couple months? Now, a similar malware named DressCode has been discovered in more than 40 apps in the Google Play Store.
IT security company Check Point, which first reported about Viking Horde's existence back in May, says that some of the malicious apps have existed in the Google Play Store since April. Check Point also reveals that aside from the infected Google Play apps, DressCode is also embedded in more than 400 other apps that are distributed through third-party app stores.
"Some of the apps reached between 100,000 and 500,000 downloads each," details the Check Point research team in a blog post dated Aug. 31. The malicious apps, in total, have been downloaded 500,000 to 2 million times from the Google Play Store.
A good example is the Dress up Musa Winx app, which was uploaded to Google Play on April 6 and has since then managed 100,000 to 500,000 installs. Another is Dress up princess Apple White.
Check Point explains that just like Viking Horde, DressCode allows hackers to control devices without their owners' knowledge. A pool of infected devices forms a botnet, which hackers can use for various purposes. Naturally, the botnet's capabilities expand as its pool of devices grows larger.
"Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to 'sleep,' to keep it dormant until there's a use for the infected device," Check Point explains and notes that if the attacker activates the malware, he/she can reroute traffic through the device by turning it to a socks proxy.
The IT security company suspects that DressCode's botnet, which uses proxied IP addresses, are being utilized to generate revenue for the hacker/attacker by disguising ad clicks and generating false traffic. Check Point, however, points out that the biggest cause of concern is the malware's ability to access internal networks.
Given that the malware can route traffic through infected devices, the hacker can infiltrate the internal networks that the devices connect to. This becomes especially dangerous for organizations and enterprises that have BYOD (Bring-Your-Own-Device) implementations that allow access to internal corporate web servers.
The video below demonstrates how an attacker can use the DressCode malware to retrieve documents and other file types from internal networks.