A new form of Android malware, named Milkydoor, uses remote port forwarding via Secure Shell (SSH) tunnels by encrypting its payloads to hide malicious traffic and grant attackers access to firewall-protected networks to a variety of an enterprise’s services—from web and FTP to SMTP. Further, this is carried out without the user’s knowledge or consent. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers.
Around 200 unique Android apps with installs ranging between 500,000 and a million on Google Play have been found embedded with the malware. Among them is Hairstyles step by step. Hundreds of other programs, including books for children and doodle applications, have also suffered infections by MilkyDoor. It appears criminals seized most if not all of these apps, repackaged them with malware, and uploaded them to the Play Store.
Security researchers from Trend Micro, the ones who discovered MilkyDoor, say they reported the apps to Google, which promptly removed them from their official app store.
MilkyDoor is similar to DressCode in routines and techniques. DressCode was an Android malware family that adversely affected enterprises by infecting mobile devices connect to. Just like MilkyDoor, DressCode also has the ability to evade Google's Play Store security scans, reaching the store on two different occasions, in August and September 2016.
However, the main difference between the two malwares is that while DressCode relied on SOCKS proxies servers to allow attackers access to internal company networks, MilkyDoor creates an SSH tunnel.
MilkyDoor is a better version of DressCode. The malicious code runs a process called android.process.s, disguised as an Android system package in order to draw attention away from it when running. Upon the Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude). It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host. The malware’s operators leverage Java Secure Channel (JSch), a common library that is a pure Java implementation of SSH2, to establish the SSH tunnel between the infected device and the attacker.
In other words, these routines allow MilkyDoor's attackers to evade security solutions set up by an organisation and leverage infected devices to breach the company's internal network. From there, they scan for vulnerable servers, possibly with the intention of holding databases for ransom.
In-depth analysis of the malicious code within the software development kit (SDK) integrated into the apps indicate they were updated versions (1.0.6). Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.
Because of these actions, the only way of stopping MilkyDoor attacks is by detecting the malware on user devices before or during installation. For this, it is advised that users employ some sort of mobile security solution for their smartphones. Enterprises are advised to deploy firewalls on BYOD devices to help prevent internal systems from accessing uncommonly used ports like Port 22. At the same time, users should exercise caution around suspicious apps and should keep their mobile operating systems up-to-date.
Mobile malware’s disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data.