MilkyDoor malware turns Androids into backdoors to attack enterprise networks – A N I T H
post-template-default,single,single-post,postid-771,single-format-standard,eltd-core-1.1.1,flow child-child-ver-1.0.0,flow-ver-1.3.6,eltd-smooth-scroll,eltd-smooth-page-transitions,ajax,eltd-blog-installed,page-template-blog-standard,eltd-header-standard,eltd-fixed-on-scroll,eltd-default-mobile-header,eltd-sticky-up-mobile-header,eltd-dropdown-default,wpb-js-composer js-comp-ver-5.0.1,vc_responsive

MilkyDoor malware turns Androids into backdoors to attack enterprise networks

MilkyDoor malware turns Androids into backdoors to attack enterprise networks

A new Android malware family is able to blend in with normal network traffic and avoid detection by encrypting its payloads, in order to access internal networks.

The backdoor, known as MilkyDoor, has so far affected 200 unique Android apps available on the official Google Play Store. Some of those apps boast between 500,000 and one million installs. Among them is Hairstyles step by step, as seen below.

Milkydoor 1

Milkydoor 2

The app “Hairstyles step by step”, which Google has since removed from its app store. (Source: TrendMicro)

Hundreds of other programs, including books for children and doodle applications, have also suffered infections by MilkyDoor. It appears criminals seized most if not all of these apps, repackaged them with malware, and uploaded them to the Play Store. No doubt they thought these modified versions would still attract large numbers of downloads based upon the popularity of their parent programs.

Milkydoor 3

The structure of MilkyDoor’s malicious code. (Source: TrendMicro)

MilkyDoor runs android.process.s disguised as an Android system process in order to evade detection while running. Upon successful execution, it retrieves the device’s location information and uploads it to its command and control (C&C) server, which responds with data containing a SSH server’s user, password, and host. The malware in turn uses that information to establish an SSH tunnel between the infected device and the attacker.

Why is this important? Trend Micro’s mobile threat response team reveals in a blog post that it has something to do with DressCode, MilkyDoor’s presumed predecessor:

“DressCode was noted for building a proxy using the Socket Secure (SOCKS) protocol on Android devices in order to access internal networks. MilkyDoor leverages the SOCKS protocol and remote port forwarding via SSH to achieve dynamic port forwarding, which in turn allows data to traverse to all remote destinations and ports. Because the SSH tunnel uses Port 22, firewalls usually do not block traffic that go through this port; this enables data encryption of payloads transmitted over a network connection.”

In other words, these routines allow MilkyDoor’s attackers to evade security solutions set up by an organization and leverage infected devices to breach the company’s internal network. From there, they scan for vulnerable servers, possibly with the intention of holding databases for ransom.

Milkydoor 8

Infected mobile devices allow attackers to bypass firewall to breach internal servers. (Source: TrendMicro)

To protect against MilkyDoor, enterprises should deploy firewalls on BYOD devices to help prevent internal systems from accessing uncommonly used ports like Port 22. At the same time, users should exercise caution around suspicious apps and should keep their mobile operating systems up-to-date.

About the author, David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire’s “The State of Security” blog, and Contributing Author to Carbonite.

Follow @DMBisson

Interested in being a guest contributor to this site like David Bisson? Check out our contributor guidelines.

Source link

Anith Gopal
No Comments

Post a Comment