When Check Point researchers unearthed more than 40 apps on Google Play (and 400 on third party app stores) infected with the so-called DressCode malware in late October, it was just the tip of the iceberg.

Trend Micro researchers have announced last week that the company has found at least 3,000 trojanized apps containing the malware, more than 400 of which were offered on Google Play (and some of which have been downloaded by hundreds of thousands of users).

The trojanized apps range from games and themes to phone optimization boosters. For example, a modification app for Minecraft PE (Pocket Edition) has been modified to include the malware and has been downloaded from Google Play by at least 100,000 users.

What does DressCode do?

Similar to the Viking Horde Android malware, DressCode’s main aim is to make the infected device part of a botnet that is currently being used for click fraud.

But, it can also just as easily be used for mounting DDoS attacks and send out spam.

DressCode is also a threat to enterprise and home networks.

“If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard,” the researchers noted.

Connected to a home network, the compromised device can be used by attackers to log into a poorly secured router, allowing them to access the home LAN and other devices connected to it (e.g. IP cameras).

“While DressCode’s infection methods and behavior isn’t unique, the number of trojanized apps that found their way to a legitimate app store is certainly significant,” the researchers noted, and added that users should be extremely careful when downloading and installing new apps.

“If you are downloading a new app, make sure it’s from a legitimate app store. Check reviews online and on the download page, and do a little research to make sure it’s not a malicious app,” they advised.