In 2016, researchers uncovered a botnet that turned infected Android phones into covert listening posts that could siphon sensitive data out of protected networks. Google at the time said it removed the 400 Google Play apps that installed the malicious botnet code and took other, unspecified "necessary actions" to protect infected users.

Now, roughly 16 months later, a hacker has provided evidence that the so-called DressCode botnet continues to flourish and may currently enslave as many as four million devices. The infections pose a significant risk because they cause phones to use the SOCKS protocol to open a direct connection to attacker servers. Attackers can then tunnel into home or corporate networks to which the phones belong in an attempt to steal router passwords and probe connected computers for vulnerabilities or unsecured data.

Even worse, a programming interface that the attacker's command and control server uses to establish the connection is unencrypted and requires no authentication, a weakness that allows other attackers to independently abuse the infected phones.

"Since the device actively opens the connection to the C2 server, the connection will usually pass firewalls such as those found in home and SMB routers," Christoph Hebeisen, a researcher at mobile security firm Lookout, said after reviewing the evidence. Hebeisen continued:

Once the connection is open, whoever controls the other end of it can now tunnel through the mobile device into the network to which the device is currently connected. Given the unprotected API [the hacker] found, it may well be possible for anybody with that information to access devices and services that are supposed to be limited to such private networks if a device with [malicious apps] on it is inside the network. Imagine a user using a device running one of these apps on the corporate Wi-Fi of their employer. The attacker might now have direct access to any resources that are usually protected by a firewall or an IPS (intrusion prevention system).

The botnet was publicly documented no later than August 2016, when researchers at security firm Check Point Software published this short post that highlighted the risk of the SOCKS-enabled malware. One month later, Trend Micro reported it found DressCode embedded in 3,000 Android apps, 400 of which were available in the official Play market until Google removed them.

Then in October 2017—more than 14 months after the botnet came to light—Symantec reported a new batch of malicious Google Play apps that had been downloaded as many as 2.6 million times. While Symantec dubbed the malware Sockbot, it used the same C2 server and publicly available, unauthenticated programming interfaces as DressCode for the same purpose of engaging in click fraud.

Evidence of the still-thriving botnet raises important questions about the effectiveness of Google incident responses to reports of malicious Android apps that wrangle phones into botnets. The evidence—which was provided by someone who claimed to have thoroughly hacked the C2 server and a private GitHub account that hosted C2 source code—suggests that code hidden deep inside the malicious titles continues to run on a significant number of devices despite repeated private notifications to Google from security researchers. It's not clear if Google remotely removed the DressCode and Sockbot apps from infected phones and attackers managed to compromise a new set of devices or if Google allowed phones to remain infected.

The evidence also demonstrates a failure to dismantle an infrastructure researchers documented more than 16 months ago and that the hacker says has been in operation for five years. A common industry practice is for security companies or affected software companies to seize control of Internet domains and servers used to run botnets in a process known as sinkholing. It's not clear what steps if any Google took to take down DressCode. The C2 server and two public APIs remained active at the time this post went live.

In an email, a Google spokesman wrote: "We've protected our users from DressCode and its variants since 2016. We are constantly monitoring this malware family, and will continue to take the appropriate actions to help secure Android users." The statement didn't respond to questions if Google was working to sinkhole the C2.

5,000 headless browsers

The hacker said the purpose of the botnet is to generate fraudulent ad revenue by causing the infected phones to collectively access thousands of ads every second. Here's how it works: an attacker-controlled server runs huge numbers of headless browsers that click on webpages containing ads that pay commissions for referrals. To prevent advertisers from detecting the fake traffic, the server uses the SOCKS proxies to route traffic through the compromised devices, which are rotated every five seconds.

The hacker said his compromise of the C2 and his subsequent theft of the underlying source code showed that DressCode relies on five servers that run 1,000 threads on each server. As a result, it uses 5,000 proxied devices at any given moment, and then for only five seconds, before refreshing the pool with 5,000 new infected devices.

After spending months scouring source code and other private data used in the botnet, the hacker estimated the botnet has—or at least at one point had—about four million devices reporting to it. The hacker, citing detailed performance charts of more than 300 Android apps used to infect phones, also estimated the botnet has generated $20 million in fraudulent ad revenues in the past few years. He said the programming interfaces and the C2 source code show that one or more people with control over the adecosystems.com domain are actively maintaining the botnet.

Lookout's Hebeisen said he was able to confirm the hacker's claims that the C2 server is the one used by both DressCode and Sockbot and that it calls at least two public programming interfaces, including the one that establishes a SOCKS connection on infected devices. The APIs, Hebeisen confirmed, are hosted on servers belonging to adecosystems.com, a domain used by a provider of mobile services. He also confirmed that the second interface is used to provide user agents for use in click fraud. (Ars is declining to link to the APIs to prevent further abuse of them.) He said he also saw a "strong correlation" between the adecosystems.com servers and servers referenced in DressCode and Sockbot code. Because the Lookout researcher didn't access private portions of the servers, he was unable to confirm that the SOCKS proxy was tied to the user agent interface, to specify the number of infected devices reporting to the C2, or to determine the amount of revenue the botnet has generated over the years.

Officials with Adeco Systems said that their company has no connection to the botnet and that they're investigating how their servers were used to host the APIs.

By using a browser to visit the adecosystems.com links that hosted the APIs, it was possible to get snapshots of infected devices that included their IP address and geographic location. Refreshing the link would quickly provide the same details for a different compromised phone. Because the data isn't protected by a password, it's likely that anyone who knows the links can establish their own SOCKS connection with the devices, Hebeisen said.













The hacker also accessed a database containing the unique hardware identifier, carrier, MAC number address, and device ID for each infected device. He provided a single screenshot that appeared consistent with what he had described.

Many of the malicious apps, including many of these ones, remain available in third-party marketplaces such as APKPure. Neither Hebeisen nor the hacker said they have any evidence Google Play has hosted DressCode or Sockbot apps in recent months.

While Google has said it has the ability to remotely uninstall malicious apps from Android devices, some critics have argued that this level of control, particularly without end-user consent ahead of time, oversteps a red line. Google may therefore be reluctant to use it. Even assuming the remote capability is heavy-handed, the significant threat posed by the ease of establishing SOCKS connections with potentially millions of devices is arguably precisely the kind of outlier case that would justify Google using the tool. If possible, Google should additionally take steps to take down the C2 server and the adecosystems.com APIs it relies on.

At the moment, there is no known list of apps that install the DressCode and Sockbot code. People who think their phone may be infected should install an antivirus app from Check Point, Symantec, or Lookout and scan for malicious apps. (Each can initially be used for free.) To prevent devices from being compromised in the first place, people should be highly selective about the apps they install on their Android devices. They should download apps only from Play and even then only after doing research on both the app and the developer.