DressCode Android Malware Identified in over 40 Google Play Store Applications

Security experts identified a new Android malware family known as DressCode in over 40 Applications in Google Play. It can be used as a proxy to relay attacks in compromised networks and can steal sensitive information from hosts.

The DressCode Android Malware Has a High Infection Rate

Experts from Check Point, a well-known security vendor, have discovered a new Android threat known as DressCode. The malware is found in over 40 applications in the Google Play Store and 400 apps in third-party repositories. The first infections were made in April this year however Google have intervened in the process and have removed the affected applications upon the submitted reports of the vendor.

The Google Play statistics indicate that DressCode has infected between 500 000 and 2 000 000 users. One of the most popular apps that hosted the malware has been downloaded between 100 000 and 500 000 times as per their report.

The DressCode family contains code that hijacks the target devices and connects them to a botnet network. DressCode relies on constant communication with the main command and control (C&C) server of the botnet for commands. The developers of the malware need only to send their malicious instructions to the botnet to have them executed by the victim machines.

The communication itself is carried out via a SOCKS proxy setup that is created upon infection. This allows the botnet operators to control machines behind firewalls and other security counter measures that are widely used by corporate networks and government facilities. Serious damages can be caused if the device is located in a trusted network zone where a lot of devices are connected to the internal network as DressCode can scan all reachable hosts for vulnerabilities and exposed shares. Security experts propose that the most likely scenario is that DressCode exploits the infected devices to perform click-fraud and advertising campaigns for financial gain.

DressCode Distribution Methods

The DressCode Android malware is distributed mainly by infected Google applications and third-party software repositories. Both locations can be risky for the security of the consumers who download untrusted applications.

  1. Dangers of infected Google Play Store Apps – The Google Play Store, in comparison with other repositories, has an encouraging policy of distributing applications. And while Google employs a variety of security features that scan apps for malware and other types of cyber threats, they still rely on definitions and heuristic scans that may not detect all types of issues. Google Play is noteworthy for hosting a variety of “copy” applications that mimic famous programs in both appearance and functionality but are not developed by the company that they pretend to be. As a result of their use malware can be spread to the victim machine if they interact with a malicious link or feature of the counterfeit program.
  2. Third Party Stores – They are often used by users looking to expand the traditional catalog of available apps by using these third party repositories. Most of them do not employ strong security checks (or any at all) and are a popular place for hosting illegal content and malware.

Known DressCode Infected Apps

Check Point experts have provided a list of some of the most popular applications infected with the DressCode malware.

  • com.dark.kazy.goddess.lp
  • com.whispering.kazy.spirits.pih
  • com.shelter.kazy.ghost.jkv
  • com.forsaken.kazy.game.house
  • com.dress.up.Musa.Winx.Stella.Tecna.Bloom.Flora
  • com.dress.up.princess.Apple.White.Raven.Queen.Ashlynn.Ella.Ever.After.High
  • com.monster.high.Dracubecca.freaky.Fusion.draculaura
  • com.dress.up.Cerise.Hood.Raven.Queen.Apple.White.Ever.After.Monster.High
  • com.ever.after.high.Swan.Duchess.barbie.game
  • com.cute.dressup.anime.waitress
  • com.rapunzel.naughty.or.nice
  • guide.slither.skins
  • clash.royale.guide
  • guide.lenses.snapchat
  • com.minecraft.skins.superhero
  • com.catalogstalkerskinforminecraft_.ncyc
  • com.applike.robotsskinsforminecraft
  • com.temalebedew.modgtavformcpe
  • com.manasoft.skinsforminecraftunique
  • com.romanseverny.militaryskinsforminecraft
  • com.temalebedew.animalskinsforminecraft
  • com.temalebedew.skinsoncartoonsforminecraft
  • com.str.carmodsforminecraft
  • com.hairstyles.stepbystep.yyhb
  • com.str.mapsfnafforminecraft
  • com.weave.braids.steps.txkw
  • mech.mod.mcpe
  • com.applike.animeskinsforminecraftjcxw
  • com.str.furnituremodforminecraft
  • com.vladgamerapp.skin.editor.for_.minecraft
  • ru.sgejko.horror.mv
  • com.vladgamerapp.skins.for_.minecraft.girls
  • com.zaharzorkin.cleomodsforgtasailht
  • com.temalebedew.ponyskins
  • com.my.first.date.stories
  • com.gta.mod.minecraft.raccoon
  • com.applike.hotskinsforminecraft
  • com.applike.serversforminecraftpe
  • com.zaharzorkin.pistonsmod
  • wiki.clash.guide
  • mobile.strike.guide
  • prank.calling.app
  • sonic.dash.guide

How disturbing is this problem?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *