MilkyDoor is an Android malware embedded in 200 Android apps available in the Google Play Store, one of which has installs between 500,000-1,000,000. The malicious apps, ranging from style guides to drawing apps, are believed to be legitimate apps that were repackaged by the attackers. MilkyDoor appears to be the successor to DressCode, both use Socket Secure (SOCKS) proxies to gain access into networks the infected mobile devices connect to, unbeknownst to the user. Some of MilkyDoor's unique capabilities include the ability to bypass security restrictions and hide its malicious activity into normal network traffic using port forwarding via Secure Shell (SSH), enabling the malware to encrypt its traffic and payloads. Businesses are especially at risk as it is designed to infect internal networks and private servers to gain access to corporate data. Once the malware infiltrates a network, the attackers can access enterprise services, and discover company IP addresses and subsequently scan them for vulnerabilities to exploit. Companies that employ a bring your own device (BYOD) policy are at a greater risk from this malware.

Technical Details:

  • Trend Micro researchers provide technical details on the MilkyDoor Android malware, available here.