Security researchers have discovered a new strain of malware that turns Android devices into backdoors, giving malicious attackers the ability to access any internal network that the infected device is connected to. According to security firm Trend Micro, around 200 unique Android apps available on the Google Play Store were embedded with the malicious backdoor program dubbed MilkyDoor. One infected app was installed anywhere between 500,000 and a million times on Google Play.

The researchers said MilkyDoor seems to be a successor to DressCode, an Android malware that also employs a proxy using Socket Secure (SOCKS) protocol to gain access to an affected device's internal networks without a user's knowledge or consent.

"MilkyDoor adds a few malicious tricks of its own," the researchers said in a blog post. "Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic."

MilkyDoor does this by using remote port forwarding via Secure Shell (SSH) tunnels through the often used Port 22 to help the malware better blend its malicious traffic and payload with normal network traffic and avoid detection.

The infected apps ranged from Doodle apps, various card games and style guides to books for children, the researchers said.

"We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims," the researchers said.

Experts also warned that MilkyDoor poses a greater threat to businesses due its coding that is specifically designed to "attack an enterprise's internal networks, private servers, and ultimately, corporate assets and data".

"Its stealth lies in how the infected apps themselves don't have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behaviour," the researchers noted. " MilkyDoor can covertly grant attackers direct access to a variety of an enterprise's services - from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available — and vulnerable — servers."

To evade detection, the MilkyDoor code runs android.process.s disguised as an Android system package. Once executed, it requests a third-party server to retrieve the infected device's local IP address, including the country, city and coordinates, and uploads the data to its command and control (C&C) server. The server then responds with data containing a SSH server's user, password and host which the malware uses to establish a tunnel between the infected device and the attacker.

A screenshot of an app embedded with MilkyDoor Trend Micro
A screenshot showing the number of downloads for a popular app affected by MilkyDoor Trend Micro

"MilkyDoor's routines resemble anonymising and internet censorship-bypassing services," the researchers said, noting that the malicious code has been distributed since as early as August 2016. They added that MilkyDoor's SSH tunnel may have been used to create fake traffic and earn money through click fraud campaigns as well.

Trend Micro says it has already disclosed its findings to Google and has worked with them to take down the infected apps.

The firm also suggests that users be wary of any suspicious apps and keep their OS updated. Network administrators are also advised to closely monitor their internal systems and implement better system restrictions, permissions policies and a strong patch management process to boost security.