October 11, 2016

400 Trojans on Google Play

News Threats

We often advise Android users to download apps from official app stores only. It is much more secure to search for apps on Google Play because all apps in the store go through rigorous multistep checks and approvals before being finally published.

However, rogue apps have infiltrated Google Play at times. In a recent, massive incident, more than 400 apps on Google Play (and nearly 3,000 in other app stores) turned out to be plagued with the DressCode Trojan.

400 Trojans on Google Play

The malware got its funny name from its first-ever sighting: The Trojan was first detected by researchers back in August 2016, in a number of dress-up apps, a type of gaming app marketed for girls.

One of these games was downloaded 100,000 to 500,000 times from Google Play. Also, other apps were found to be infected by the same Trojan. By then, more than 400 infected apps had been found, about 40 of them on Google Play. The researchers tipped off Google, and the company deleted the rogue apps from the store. But that was just the tip of the iceberg…

By that time another group of researchers had become interested in the Trojan, and they decided to dig deeper and search around various app stores. And just a couple of days ago, the team found about 3,000 apps infected by DressCode at once; more than 400 of them on Google Play.

Most of the affected apps are games or gaming-related apps — for example, apps with tips for gamers and game modifications. Among the malicious apps were a number of performance boosters, optimizers, and other pseudo-useful utilities.

The biggest issue with DressCode is that it is hard to detect. The Trojan’s code is very small compared with the code of its “bearer” program. That’s probably why so many infected apps got through Google’s approval process and into Google Play.

What does DressCode do?

In general, DressCode’s sole purpose is to establish connection to a command-and-control server. Usually, once the connection is established, the server sends a command to the Trojan, putting it to sleep and thus making instant detection almost impossible. Once an adversary decides to use the infected device, they can wake up the Trojan, make it turn a smartphone or a tablet into a proxy server, and use it to redirect Internet traffic.

How do cybercrooks benefit from it?

First, infected devices can be used as a part of a botnet to tunnel requests to certain IP addresses. This method lets criminals boost traffic, generate clicks on banners and paid URLs, and organize DDoS attacks to take down target websites.

Second, if an infected device (say, a corporate smartphone) can access some local network resources, attackers gain access to those as well and can use the device to steal sensitive data.

How do I avoid becoming a part of a botnet?

This is the very rare case when our usual advice — download apps from official stores only — isn’t enough. True, Google Play enjoys a far lower prevalence of malicious apps compared with other Android stores, but 400 infected apps all at once is quite a lot. Besides, they include massive hits such as Minecraft “GTA 5” mode (yes, it really exists), which was downloaded more than 500,000 times.

So we’ll shorten the usual list of recommendations to only two things:

1. Be very cautious when downloading apps. Before installing an unknown app, check user reviews critically, look at its permissions list, and give it some thought. Unfortunately, you cannot trust all Google Play reviews, but at least they can give you some idea of how reliable an app might be.

2. Install a good security solution on your mobile devices. Kaspersky Antivirus & Security for Android detects DressCode as HEUR:Backdoor.AndroidOS.Sobot.a. If you run a paid version of our protection suite, it automatically scans all new apps and will block any utility laced with DressCode from your device. If you installed a free version, don’t forget to scan your device regularly.