The malware's name comes from the countless dress-up games in which DressCode's authors have hidden their malicious code.
Check Point, the security firm that discovered this threat, says it identified over 40 apps on the Google Play store infected with malware, and over 400 similar apps distributed via unofficial third-party stores.
DressCode infected at least half a million Android devices
DressCode-infected apps made their way to the Google Play Store starting April 2016, but Google has intervened and removed the applications at Check Point's behest.
According to Google Play statistics, DressCode apps infected between 500,000 and 2,000,000 users, with one of the most successful apps being downloaded between 100,000 and 500,000 times just by itself.
At the technical level, the DressCode malware includes malicious code that hijacks infected devices and connects them to a botnet.
The malware acts like a beacon that constantly communicates with the botnet's command and control (C&C) server. Whenever the botnet's author decides on what malicious actions to execute, they just ping the desired devices and send them the malicious code to execute.
DressCode transforms infected devices in proxy servers
Communications between the C&C (command & control) server and the malware are carried out via a SOCKS proxy set up on the infected device. This proxy allows the botnet operator to reach even firewalled networks, deep inside corporate infrastructure.
Attackers could use this scenario to send malicious commands to the infected device, which could scan the network for valuable information the attacker could steal, or escalate their access.
This case is a worst-case scenario, and most likely, DressCode operators use the infected devices to deliver ads and perform click-fraud for their personal financial gain.
Before discovering DressCode, the Check Point team had found Viking Horde, a similar Android malware family that also focuses on delivering ads, by using a proxy to interconnect bots and their C&C (command & control) server.
DressCode Distribution Methods
The DressCode Android malware is distributed mainly by infected Google applications and third-party software repositories. Both locations can be risky for the security of the consumers who download untrusted applications.
- Dangers of infected Google Play Store Apps – The Google Play Store, in comparison with other repositories, has an encouraging policy of distributing applications. And while Google employs a variety of security features that scan apps for malware and other types of cyber threats, they still rely on definitions and heuristic scans that may not detect all types of issues. Google Play is noteworthy for hosting a variety of “copy” applications that mimic famous programs in both appearance and functionality but are not developed by the company that they pretend to be. As a result of their use malware can be spread to the victim machine if they interact with a malicious link or feature of the counterfeit program.
- Third Party Stores – They are often used by users looking to expand the traditional catalog of available apps by using these third party repositories. Most of them do not employ strong security checks (or any at all) and are a popular place for hosting illegal content and malware.
Known DressCode Infected Apps
Check Point experts have provided a list of some of the most popular applications infected with the DressCode malware.