MilkyDoor malware turns Androids into backdoors to attack enterprise networks

Routines and techniques build on those of the malware’s predecessor, DressCode.

MilkyDoor malware turns Androids into backdoors to attack enterprise networks

A new Android malware family is able to blend in with normal network traffic and avoid detection by encrypting its payloads, in order to access internal networks.

The backdoor, known as MilkyDoor, has so far affected 200 unique Android apps available on the official Google Play Store. Some of those apps boast between 500,000 and one million installs. Among them is Hairstyles step by step, as seen below.

Milkydoor 1

Milkydoor 2

The app "Hairstyles step by step", which Google has since removed from its app store. (Source: TrendMicro)

Hundreds of other programs, including books for children and doodle applications, have also suffered infections by MilkyDoor. It appears criminals seized most if not all of these apps, repackaged them with malware, and uploaded them to the Play Store. No doubt they thought these modified versions would still attract large numbers of downloads based upon the popularity of their parent programs.

Milkydoor 3

The structure of MilkyDoor's malicious code. (Source: TrendMicro)

MilkyDoor runs android.process.s disguised as an Android system process in order to evade detection while running. Upon successful execution, it retrieves the device's location information and uploads it to its command and control (C&C) server, which responds with data containing a SSH server’s user, password, and host. The malware in turn uses that information to establish an SSH tunnel between the infected device and the attacker.

Why is this important? Trend Micro's mobile threat response team reveals in a blog post that it has something to do with DressCode, MilkyDoor's presumed predecessor:

"DressCode was noted for building a proxy using the Socket Secure (SOCKS) protocol on Android devices in order to access internal networks. MilkyDoor leverages the SOCKS protocol and remote port forwarding via SSH to achieve dynamic port forwarding, which in turn allows data to traverse to all remote destinations and ports. Because the SSH tunnel uses Port 22, firewalls usually do not block traffic that go through this port; this enables data encryption of payloads transmitted over a network connection."

In other words, these routines allow MilkyDoor's attackers to evade security solutions set up by an organization and leverage infected devices to breach the company's internal network. From there, they scan for vulnerable servers, possibly with the intention of holding databases for ransom.

Milkydoor 8

Infected mobile devices allow attackers to bypass firewall to breach internal servers. (Source: TrendMicro)

To protect against MilkyDoor, enterprises should deploy firewalls on BYOD devices to help prevent internal systems from accessing uncommonly used ports like Port 22. At the same time, users should exercise caution around suspicious apps and should keep their mobile operating systems up-to-date.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

One Response

  1. Ed S

    April 24, 2017 at 2:14 pm #

    From end of article:"
    " At the same time, users should exercise caution around suspicious apps and should keep their mobile operating systems up-to-date."

    From body of article:
    "Hundreds of other programs, including books for children and doodle applications, have also suffered infections by MilkyDoor. It appears criminals seized most if not all of these apps, repackaged them with malware, and uploaded them to the Play Store"

    How are you supposed to be suspicious of apps if this malware repackages popular apps?

    "MilkyDoor runs android.process.s disguised as an Android system process in order to evade detection while running."

    Article says it can evade detection.

    How do you check your device against this?

Leave a Reply