DressCode Android malware equipped to infiltrate corporate networks (October 21, 2016)

Dell Sonicwall Threats Research Team received a number of reports for an Android threat which, if executed in the right conditions, can compromise data in a corporate environment. This threat was found as a small component in a different variety of apps like games, battery optimizers and themers. Interestingly, this threat managed to infiltrate Google Play store and a number of different app stores thereby infecting a large number of devices.

The corporate mobile space has been dominated by Blackberry in the past but it has not been able to keep up with the growth and innovation from Android and Apple in recent times, as a result it has lost its lead. Android has started to make its presence felt in the corporate segment in the form of Bring Your Own Device (BYOD), few reasons being the following:

• User profiles allows a user to separate personal and business data
• Enhanced security features like SELinux and an updated security patch policy
• Improved productivity apps like Calendar, Docs and Sheets
• Cheaper hardware costs

Regardless of the size of a company, it is of utmost importance to have a sound plan that ensures protection of the company's informational assets. Companies strive to protect this whereas attackers try to penetrate and steal this information. DressCode is an Android threat that is equipped to do exactly this.

Once the app gets installed on the victim's device a service starts running in the background, this establishes a tunnel between itself and the attacker. The infected device can now receive commands from the attacker.

This threat uses Socket Secure(SOCKS) protocol to establish a connection with the attacker's Command and Control(C&C) server, essentially converting the device into a proxy bypassing firewalls and other security mechanisms that may be present. This is especially dangerous if the infected device is connected to a corporate network as there is a direct tunnel that connects the attacker to the corporate network thereby allowing him to access any resource that the infected device might be connected to.

Below figure shows an instance of a DressCode malware establish Socks connection with the attacker (Reference):

• Packets 1-3 are for TCP handshake : , and
• Once the handshake is complete the communication between client and server begins, the client initiates by sending a HELLO packet

DressCode has seen some changes since its inception, first discovered in April 2016. Initial threats had hard-coded IP addresses, the more recent ones have a hard-coded domain name:

DressCode samples have a very small portion in their code that makes up the malicious part, rest of the code is filled with adware component. Figure below shows a distribution of the malicious component in two separate apk files:

This malware threat is a devious one, while still having minimal malicious code it manages to be extremely dangerous. DressCode can potentially cripple businesses under the following scenarios:

• DressCode infected mobile devices that are directly connected to the corporate network can allow the attacker to access sensitive data. The risk can vary depending on the device privileges allowed by the company policy
• Infected tablets that are used by customer facing representatives in businesses like restaurants and shops can expose sensitive business data
• Infected tablets/customer kiosks in retail giants can expose sensitive customer data
• Infected devices are essentially zombie machines at this point as they can execute commands provided by the attacker, if the infection spreads to a large number of devices in an organization then we have a potential botnet that can bring a business down with Denial-of-service (DOS) attacks
• An attacker can use an infected device to discover more weak points in an organization or home network and plan a new attack, thereby making DressCode the first stage of a more sophisticated attack

Dell SonicWALL provides protection against this threat via the following signature:

• GAV: AndroidOS.DressCode.DX (Trojan)