Trend Micro Incorporated has detected an Android Malware MilkyDoor that was recently found in over 200 Android applications available through the Google Play Store which had installs between 500,000 and 1 million. MilkyDoor similar to DressCode, another Android malware family that adversely affected enterprises, also employs a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to. Trend Micro provides multilayered mobile security solutions to protect organizations from this threat.
Trend Micro found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. It surmises that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.
Mobile malware’s disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data. MilkyDoor adds a few malicious tricks of its own and poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH (Secure Shell) tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network.
“As mobile threats continue to diversify and mount up in scale and scope, businesses and end users must reinforce their security posture against threats like MilkyDoor. We, at Trend Micro provide multilayered mobile security solutions such as Trend Micro Mobile Security for Android which is also available on Google Play that benefit the end users and enterprises. Trend Micro Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites,” said Nilesh Jain, Country Manager (India and SAARC), Trend Micro.
“Trend Micro suggests that users be more cautious of suspicious apps and keep their OS updated. Meanwhile, network administrators are advised to heavily monitor and place secure restrictions on how employees can use devices when connected to their systems, as well as institute an effective patch management process,” he further added.
Trend Micro’s research into MilkyDoor also pointed to a traffic arbitrage service being advertised in a Russian bulletin board system (BBS). Trend Micro construes that the SSH tunnel MilkyDoor builds is also used to create fake traffic and perpetrate click fraud to generate more revenue for the attackers.