A newly discovered Android malware called MilkyDoor turns mobile devices into “walking backdoors” that give attackers access to whatever network an infected user is connected to. Affected phones essentially act as proxy servers that link legitimate networks with malicious command-and-control servers via Socket Secure (SOCKS) protocol, allowing bad actors to exfiltrate data.
It uses remote port forwarding via Secure Shell (SSH) tunnels to hide malicious traffic and grant attackers access to firewall-protected networks. The malware was recently found in over 200 Android applications available through the Play Store. Google has removed them from their official app store.
In total, researchers estimate the apps had between 500,000 and 1 million installs only through the Play Store alone.
While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.
We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.
MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.
The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.
End users and enterprises can benefit from mobile total security solution, Max Total Security available on Google Play.