A newly discovered Android malware called MilkyDoor turns mobile devices into “walking backdoors” that give attackers access to whatever network an infected user is connected to, Trend Micro warned in a blog post on Thursday. Affected phones essentially act as proxy servers that link legitimate networks with malicious command-and-control servers via Socket Secure (SOCKS) protocol, allowing bad actors to exfiltrate data.
According to the report, Trend Micro recently found the malicious backdoor program embedded within approximately 200 unique Android apps, each of which were installed anywhere between 500,000 and a million times on Google Play. These apps were posing as style guides, children’s books, drawing applications and other recreational apps. “We surmise that these are legitimate apps which cybercriminals repackaged and trojanized then republished in Google Play, banking on their popularity to draw victims,” the blog post stated, adding that Google removed the apps after Trend Micro privately disclosed them.
Businesses, especially those with Bring Your Own Device mobile policies, are especially at risk to this mobile malware, which appears specifically built to attack a company’s internal networks, private servers and data, allowing adversaries to infiltrate a company’s web services, access FTP and SMTP, and scan internal IP addresses to sniff out vulnerable servers.
“Attackers can poke around the network… and then ask for a response from the system that it can see from the Android device… It’s just using the phone as a bridge,” said Mark Nunnikhoven, VP of cloud research at Trend Micro, in an interview with SC Media.
MilkyDoor’s SOCKS-based process that enables attackers to move laterally from a phone to a connected network squarely places it in the same family as DressCode malware. DressCode has already been found in thousands of Android apps, hundreds of which at one point were available at points via the Google Play Store. (As with MilkyDoor, many of these malicious applications were also recreational in nature.)
However, Trend Micro believes MilkyDoor is actually more sophisticated and dangerous than its predecessor because it also uses remote port forwarding via Secure Shell (SSH) tunneling to help its malicious activities better blend in with normal network traffic.
The SSH tunneling occurs via Port 22, which firewalls don’t typically block when traffic flows through it. Furthermore, communication with the C&C server is practically undetectable to network admins because the traffic flowing through the tunnel is encrypted and gives off no unusual red flags.
The apps don’t give mobile device owners much reason to be suspicious either. They’re perfectly functional, and they don’t ask for any unusual permissions, such as allowing network access. They don’t no need to, because the SSH tunneling and port forwarding already gives the bad actors the privileges they need to infiltrate a network.
“You’re essentially unimpacted as an Android user… You’re just blissfully unaware. There’s no… external indicator that’s something wrong,” said Nunnikhoven. “I don’t know that I’m a ‘walking backdoor’ for the attacker.”
Trend Micro believes that the latest version of this malware has been distributed since August of last year and that MilkyDoor’s SSH tunnel may also be used to create fake traffic and earn money via click fraud campaigns.
To protect organizations from this threat, TrendMicro suggests that users beware of suspicious apps and keep their OS updated. Meanwhile, network administrators are advised to heavily monitor and place secure restrictions on how employees can use devices when connected to their systems, as well as institute a effective patch management process.