About 200 unique Android apps have been embedded with the MilkyDoor backdoor, which is built to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.
According to Trend Micro, the trojanized apps masquerade as recreational applications like style guides and Doodle applications, and are likely legitimate apps which cyber-criminals have repackaged and then republished in Google Play, banking on their popularity to draw victims. One of the apps had installs ranging between 500,000 and a million on Google Play.
“MilkyDoor is similar to DressCode—an Android malware family that adversely affected enterprises—given that both employ a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to,” explained Trend Micro researchers Echo Duan and Jason Gu, in an analysis. “MilkyDoor, maybe inadvertently, provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies. Further, this is carried out without the user’s knowledge or consent.”
MilkyDoor does adds some new functionality, including clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic.
“The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices,” the researchers said. “It’s stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.”
MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. From there, they can pivot and locate public, vulnerable servers with a lack of authentication mechanisms in its internal databases.
“Tracing the malware and the SDK revealed that they were distributed as early as August 2016,” the researchers said. “The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3. Our research into MilkyDoor also pointed us to a traffic arbitrage service being advertised in a Russian bulletin board system (BBS). We construe that the SSH tunnel MilkyDoor builds is also used to create fake traffic and perpetrate click fraud to generate more revenue for the attackers.”
Among the best practices mobile users can adopt to protect themselves from MilkyDoor and other threats like it include taking caution against suspicious apps, and keeping the device’s OS up-to-date.