In the fall of 2016, a source announced the appearance of a new type of malware, Android Trojan DressCode, a hidden malware which without the users knowledge, used the infected devices in a botnet. The hacker who wrote it kidnapped confidential information even from secured networks by distributing it in applications for phones that anyone could download from many app stores, including Googles play store. After the discovery of the problem, Google announced the removal of 400 applications from its official store that distributed DressCode.
According to Ars Technica, 16 months after an anonymous hacker published evidence that the botnet DressCode still functions today and currently includes about 4 million bots.The malware poses a big threat, because it forces the infected device to use the SOCKS protocol to connect directly to the attacker’s server. Botnet operators can tunnel through the home or corporate network in which the infected smartphone is located and steal the credentials of the router, and even access to PC’s on the network to steal confidential information stored on them.
The program interface used by the attackers to establish a connection to the C & C server is unencrypted and does not require authorization, which means that anyone can use the infected devices for their own purposes, and not only the DressCode operators.
Though the botnet was first discovered in 2016 it was shown to still be incredibly active a year later still in October 2017. According to Symantec, the malware (in Symantec documents it is called Sockbot) was downloaded 2.6 million times from all of the same Google Play application. According to an anonymous hacker, DressCode is active to this day, despite Google’s attempts to remove malicious applications from its store.
If you believe the hacker, he managed to crack the C & C server and the closed GitHub account with the source code of DressCode. He found evidence that malware hidden in applications continues to be active on many infected devices, despite regular notifications received by Google from white hat program analyzers. It’s unclear whether the devices were infected again after the company removed them from DressCode remotely, or Google left the devices infected by removing the malicious applications from its store but not the users who already had it downloaded.