By Echo Duan and Jason Gu (Mobile Threat Response Engineers)

Mobile malware's disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data. We recently found 200 unique Android apps—one of which had installs ranging between 500,000 and a million on Google Play—embedded with a backdoor: MilkyDoor (detected by Trend Micro as ANDROIDOS_MILKYDOOR.A).

MilkyDoor is similar to DressCode (ANDROIDOS_SOCKSBOT.A)—an Android malware family that adversely affected enterprises—given that both employ a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to. MilkyDoor, maybe inadvertently, provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies. Further, this is carried out without the user’s knowledge or consent.

While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.

Impact to Enterprises

MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.

The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.

Figure 1: A sample MilkyDoor-carrying app in Google Play

Figure 2: According to the app’s Google Play page, its number of installations already reached between 500,000 and 1,000,000.

A Better Version of DressCode?

The malicious code runs a process called android.process.s, disguised as an Android system package in order to draw attention away from it when running. Upon the Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude). It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host. The malware’s operators leverages Java Secure Channel (JSch), a common library that is a pure Java implementation of SSH2, to establish the SSH tunnel between the infected device and the attacker.



Figure 3: The structure of the malicious code

Figure 4: Running a process alone in AndroidManifest.xml

To use its port forwarding feature, MilkyDoor smuggles various types of Internet traffic into or out of a network. This can be employed to avoid network monitoring or sniffers, or even bypass firewalls on the Internet. In this case, the attacker’s server, as an SSH server, lets the infected apps connect while the server also listens to local ports. Through this tunnel, all traffic traversing this port will then be forwarded to the client host’s internal network.

DressCode was noted for building a proxy using the Socket Secure (SOCKS) protocol on Android devices in order to access internal networks. MilkyDoor leverages the SOCKS protocol and remote port forwarding via SSH to achieve dynamic port forwarding, which in turn allows data to traverse to all remote destinations and ports. Because the SSH tunnel uses Port 22, firewalls usually do not block traffic that go through this port; this enables data encryption of payloads transmitted over a network connection. In a nutshell, MilkyDoor’s routines resemble anonymizing and Internet censorship-bypassing services.

Figure 5: Code snapshots showing how MilkyDoor collects local IP details

Figure 6: MilkyDoor leveraging JSch library to carry out port forwarding through SSH tunnel

Figure 7: Infected mobile devices allow attackers to bypass firewall to breach internal servers

Retracing the MilkyDoor(s)

In-depth analysis of the malicious code within the software development kit (SDK) integrated in the apps indicate they were updated versions (1.0.6). Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.

Our research into MilkyDoor also pointed us to a traffic arbitrage service being advertised in a Russian bulletin board system (BBS). We construe that the SSH tunnel MilkyDoor builds is also used to create fake traffic and perpetrate click fraud to generate more revenue for the attackers. Delving further into one of the MilkyDoor-infected apps, we saw that the certificate used is linked to a high-profile cyberespionage/information theft campaign.

So how does it stack up to DressCode? While MilkyDoor’s backdoor capabilities—and the security risks entailed—can be deemed at par with DressCode’s, MilkyDoor’s techniques and routines reflect the apparent complexity its developers are inclined to utilize. Its way of blending in with normal network traffic (via dynamic port forwarding) to better hide its malicious activities, and the use of SSH tunnel to enable the encryption of payloads are just some of its notable highlights.

Mitigation

As mobile threats continue to diversify and mount up in scale and scope, businesses and end users must reinforce their security posture against threats like MilkyDoor. End users are recommended to be more prudent in terms of securing their mobile devices, especially if they are used to connect, access, and manage corporate networks and assets.

DressCode and MilkyDoor build a proxy using the SOCKS protocol on Android devices in order to access internal networks. The compromised device had to connect to an external port to get commands from the attacker’s command and control (C&C) server before the proxy is created. For BYOD devices, enterprises can deploy firewalls to help restrict, if not prevent, internal systems from accessing uncommonly used external ports—one of the key techniques employed by these kinds of threats.

Among the best practices mobile users can adopt include taking caution against suspicious apps, and keeping the device’s Operating System (OS) up-to-date. Android patches and updates are fragmented, however, so users should contact their device’s Original Equipment Manufacturer (OEM) for their availability. Organizations that adopt Bring Your Own Device (BYOD) programs in the workplace must maintain a balance between productivity, flexibility, privacy, and security. For IT and system administrators, a robust patch management process and better system restrictions/permissions policies can help improve security for BYOD devices.

Trend Micro Solutions

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ which is also available on Google Play. Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

We have disclosed our findings to Google and worked with them to take down the malicious apps on Google Play. A list of Indicators of Compromise (IoCs) comprising related hashes (SHA256) and C&C communication can be found in this appendix.

Updated as of April 23, 2017, 11:40PM, UTC-7: We updated the first paragraph to indicate only one app had installs between 500,000 and one million.