A new Android malware family called DressCode can be used as a proxy to relay attacks inside corporate networks and steal information from servers previously considered secure.

The malware's name comes from the countless dress-up games in which DressCode's authors have hidden their malicious code.

Check Point, the security firm that discovered this threat, says it identified over 40 apps on the Google Play store infected with malware, and over 400 similar apps distributed via unofficial third-party stores.

DressCode infected at least half a million Android devices

DressCode-infected apps made their way to the Google Play store starting April 2016, but Google has intervened and removed the applications at Check Point's behest.

According to Google Play statistics, DressCode apps infected between 500,000 and 2,000,000 users, with one of the most successful apps being downloaded between 100,000 and 500,000 times just by itself.

At the technical level, the DressCode malware includes malicious code that hijacks infected devices and connects them to a botnet.

The malware acts like a beacon that constantly communicates with the botnet's command and control (C&C) server. Whenever the botnet's author decides on what malicious actions to execute, they just ping the desired devices and send them the malicious code to execute.

DressCode transforms infected devices in proxy servers

Communications between the C&C server and the malware are carried out via a SOCKS proxy set up on the infected device. This proxy allows the botnet operator to reach even firewalled networks, deep inside corporate infrastructure.

Attackers could use this scenario to send malicious commands to the infected device, which could scan the network for valuable information the attacker could steal, or escalate their access.

This case is a worst-case scenario, and most likely, DressCode operators use the infected devices to deliver ads and perform click-fraud for their personal financial gain.

Before discovering DressCode, the Check Point team had found Viking Horde, a similar Android malware family that also focuses on delivering ads, by using a proxy to interconnect bots and their C&C server.