DressCode is a family of malware that targets Android OS and is distributed via apps in the Google Play Store as well as those in unofficial third-party app stores. According to Google Play statistics, 500,000 to 2,000,000 users downloaded apps that were bundled with DressCode. This malware hijacks the infected devices and connects them to a botnet, constantly communicating with the attacker’s C2 server and executing additional actions such as serving up ads to the victim and performing click-fraud for profit. DressCode works by setting up a SOCKS proxy, allowing the attacker to control devices that reside on firewalled networks. This feature can potentially allow attackers to scan networks for sensitive information, exfiltrate data, and escalate their access.

Reporting and Technical Details

  • August 2016: Check Point Software Technologies Ltd. discovered DressCode bundled into more than 40 apps in the Google Play Store and over 400 apps in unofficial third-party app stores. (Check Point)

One example of the DressCode variant. Image Source: Check Point Software Technologies Ltd.