In 2016, researchers stumbled upon the DressCode Trojan . It worked on Android devices, and its malicious activity was limited to filtering out confidential user data from secure networks. It turned out that about 400 Google Play applications took part in the distribution of the Trojan.
Fortunately, Google responded to the threat quickly, removing all infected applications with malicious code and using the necessary tools to protect affected users. However, 16 months after the incident, it became known that this same DressCode has not gone away and is feeling great. Experts believe that, despite the measures taken by Google, the virus has currently infected as many as four million devices . It forces phones to use the SOCKS protocol to directly connect to the attackers' servers, and gains access not only to the damaged device, but also to the networks to which it is connected. Imagine the damage a virus can cause if it infects a user’s corporate smartphone connected to the employer’s Wi-Fi: an attacker can easily gain direct access to any resources that are usually protected by a firewall or IPS. Worse, the software interface used by the server and the attackers to establish the connection is unencrypted and does not require authentication, allowing outsiders to use infected gadgets. The devices can be used as a botnet, directing requests to specific IP addresses. That is, the virus will help to increase traffic, generate clicks on banners or paid links, or even organize a DDoS attack, trying to disable any sites. Experts say the botnet's main goal is to generate revenue from fraudulent advertisements by causing infected phones to receive thousands of notifications every second. A server controlled by an attacker launches a huge number of headless browsers that follow advertising links and imitate the operation of regular advertising. Payment is made using a referral system. To prevent advertisers from detecting fake traffic, the server uses a SOCKS proxy to route traffic through compromised devices. At the same time, the virus is capable of carrying out cyber attacks on online wallets and bank accounts, including replacing the details exchanged between banking systems. Preliminary estimates of losses due to the DressCode virus are $20 million. Determining vulnerability is almost impossible. The only sign by which one can suspect the presence of a Trojan on a device is that the battery drains too quickly.
GO TO FULL VERSION