DressCode Android Malware Discovered on Google Play

The Check Point mobile threat prevention research team discovered a new Android malware on Google Play, called “DressCode,” which was embedded into more than 40 apps, and found in more than 400 additional apps on third party app stores. Check Point notified Google about the malicious apps, and some have already been removed from Google Play.

The oldest apps were uploaded to Google Play on April 2016, where they remained undetected until recently. Some of the apps reached between 100,000 and 500,000 downloads each. Between 500,000 and 2,000,000 users downloaded the malicious apps from Google Play.

Figure 1: One of the malicious apps found on Google Play.

Similar to Viking Horde, DressCode creates a botnet that uses proxied IP addresses, which Check Point researchers suspect were used to disguise ad clicks and generate false traffic, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots can be used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.

Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to “sleep,” to keep it dormant until there’s a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it.

Below are pictures of additional samples of the DressCode Malware, as found on Google Play:

So, why should you be concerned about such malware?

Both Viking Horde and DressCode malware create botnets which can be used for various purposes, and even to infiltrate internal networks. Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations.

To demonstrate how this could be achieved, Check Point researchers created a video , showing how attackers could potentially use the DressCode malware to access an internal network and retrieve sensitive files from it.

Appendix – Package names found on Google Play

• com.dark.kazy.goddess.lp
• com.whispering.kazy.spirits.pih
• com.shelter.kazy.ghost.jkv
• com.forsaken.kazy.game.house
• com.dress.up.Musa.Winx.Stella.Tecna.Bloom.Flora
• com.dress.up.princess.Apple.White.Raven.Queen.Ashlynn.Ella.Ever.After.High
• com.monster.high.Dracubecca.freaky.Fusion.draculaura
• com.dress.up.Cerise.Hood.Raven.Queen.Apple.White.Ever.After.Monster.High
• com.ever.after.high.Swan.Duchess.barbie.game
• com.cute.dressup.anime.waitress
• com.rapunzel.naughty.or.nice
• guide.slither.skins
• clash.royale.guide
• guide.lenses.snapchat
• com.minecraft.skins.superhero
• com.catalogstalkerskinforminecraft_.ncyc
• com.applike.robotsskinsforminecraft
• com.temalebedew.modgtavformcpe
• com.manasoft.skinsforminecraftunique
• com.romanseverny.militaryskinsforminecraft
• com.temalebedew.animalskinsforminecraft
• com.temalebedew.skinsoncartoonsforminecraft
• com.str.carmodsforminecraft
• com.hairstyles.stepbystep.yyhb
• com.str.mapsfnafforminecraft
• com.weave.braids.steps.txkw
• mech.mod.mcpe
• com.applike.animeskinsforminecraftjcxw
• com.str.furnituremodforminecraft
• com.vladgamerapp.skin.editor.for_.minecraft
• ru.sgejko.horror.mv
• com.vladgamerapp.skins.for_.minecraft.girls
• com.zaharzorkin.cleomodsforgtasailht
• com.temalebedew.ponyskins
• com.my.first.date.stories
• com.gta.mod.minecraft.raccoon
• com.applike.hotskinsforminecraft
• com.applike.serversforminecraftpe
• com.zaharzorkin.pistonsmod
• wiki.clash.guide
• mobile.strike.guide
• prank.calling.app
• sonic.dash.guide