Google is removing over 40 malware-infected apps from the Google Play Store. The Android Trojan, dubbed DressCode, creates botnets, converting infected devices into proxy servers. Cybersecurity firm Check Point's security researchers said over 400 DressCode-infected apps on third-party app stores were also uncovered.
DressCode-infected apps were found uploaded on Google Play Store as far back as April 2016. According to Check Point researchers Alon Menczer and Alexander Lysunets, DressCode-infected malicious apps on Google Play were downloaded by 500,000 to 2,000,000 users, with some of the apps reaching between 100,000 and 500,000 downloads each.
Check Point researchers said DressCode converts infected apps into proxy servers, thereby creating a botnet. Botnets are created by hackers to surreptitiously gain control over a bunch of devices. Bots can generally be used for a variety of purposes, including distributing phishing links, malware and ransomware. A botnet's capabilities generally depends on its size, therefore, larger botnets come with more extensive capabilities. Researchers speculated that the proxied IP addresses were likely used by the hackers behind the malware to cloak ad clicks and generate false traffic, which in turn reaps profits for the hackers.
Check Point researchers said: "Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to 'sleep', to keep it dormant until there's a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it."
DressCode's authors can also use the botnet to route traffic through infected devices, thereby allowing the hackers to access available networks within the infected devices' vicinity. The attackers can then conduct secondary attacks, including stealing sensitive data from victims and can also "compromise security for enterprises and organisations".
This is not the first Android malware to use popular game apps to propagate. Several fake Pokémon Go Android apps have also popped up after the immense success of the game app, one of which was found to be a lockscreen malware infecting distributing porn ads to infected users. Other detected Android malware variants were found to pose as banking Trojans, one of which called Fanta SDK was found to be draining victims' bank accounts while posing as a fake bank app.