| Researchers January 10, 2019


January 10, 2019

Lookout researchers disable Android malware designed to evade detection

By Alex Reshetniak, Christoph Hebeisen

DressCode, an Android malware family, has resurrected itself multiple times over the past three years, with their click fraud business model and malware designed to evade detection in different and novel ways. However, earlier this year, Lookout researchers, in collaboration with the domain registrar and the hosting provider used by the botnet creators, disabled the botnet infrastructure, effectively disabling the malware on all compromised devices.

History of DressCode

After its discovery in August, 2016, DressCode  should have become another relic in the museum of dead malware. Its apps were removed from the Google Play store, its code and communications protocol had been analyzed, and its Command and Control (C2) servers were known. However, instead of looking for a new gig, the malware creator(s) doubled down on their click fraud business model and created new versions of their malware designed to evade detection in new ways.

Since 2016, the malware has made repeated appearances on Google Play and its public visibility spiked again in January, 2018 when an anonymous hacker infiltrated the botnet infrastructure and found a thriving click-fraud operation. The authors of Dresscode were able to repeatedly bring their malware back through new methods to evade detection, such as steganography to hide malicious code in pictures.  While Lookout customers have been protected from this malware and its many variants, other mobile users have been falling victim to this malware until Lookout, in collaboration with the domain registrar and the hosting provider used by the botnet creators, disabled the malware on all compromised devices.

How it works

Dresscode is a great example of the evolution of Android malware. As mobile threat defense vendors and Google kept rediscovering DressCode, the authors were forced to repeatedly evolve the malware to evade detection so they could keep operating. Thus, security researchers acted as an “environmental pressure” point to the authors.

The first samples of DressCode date back to January 2016, and at the time, the malware authors did not make any attempts to hide the malicious code or its functionality. Upon device reboot, a service would be created that established a connection to a command and control server (C2), whose address was hardcoded in the application.In this version the server could only send two commands:

  • PING, a connection keep-alive, and
  • CREATE, which would make the infected device open a reverse SOCKS proxy connection, allowing the bot master to impersonate the device on the local network.

In a sample captured one month later, in February 2016, the code had been updated to include the additional commands:

  • HELLO - indicating the start of the connection
  • SLEEP - which makes the proxy service pause for 2 minutes and
  • WAIT - pause for 2 seconds, adding the potential for a level of remote-controlled stealth to the malware operation.

In August 2016, around the time DressCode was first publicly reported, the malware authors appear to have switched from using hard-coded IP addresses to a domain name: dfm.nicsm.net, which allowed them to move their C2 server infrastructure without disrupting the bot net.

At this point the creators of DressCode seem to have started feeling the heat from MTD vendors and App Store defenses because in March 2017, a new variant of the malware appeared in which the C2 commands and domain name (dfm03.nicsm.net) had been obfuscated using a substitution algorithm.

Obfuscated commands and the substitution code used for deobfuscation of the C2 server name

In the latest observed variant of the malware, which first appeared around July 2017, all proxy-related classes (further modified from the previous version) have been moved to a separate, small DEX file. The DEX file is then hidden inside an image in the app’s Assets folder using steganography, a technique that despite being relatively common in PC malware, is not that common yet in the mobile world. While the trigger to start the service, device boot, has not changed since the earliest variant, the code in the main executable (DEX file) of the app is now merely responsible for extracting and decoding the hidden DEX from the PNG file, loading it, and invoking ‘run’ method of its ‘com.appstatistics.Main’ class.

To hide the code, the malware authors make use of the way the image’s pixels are stored. In 24-bit RGB images, each pixel is stored as three bytes that hold the intensity information for the red, green and blue components of the pixel’s color. The malware authors used the two least significant bits of each byte to hide their data, changing the intensity of each colour component by around 1% on average. This allows them to store up to six bits per pixel while introducing practically imperceptible color changes. In practice the code uses two pixels for every byte stored, but even with this inefficient storage method, less than 10% of the pixels of the image are changed to store the 35 kb DEX file - malware payload.

Payload extraction and converting code and the image used to hide the malicious code

Threat to corporate data

DressCode allowed the attacker controlling the malware to use infected Android devices to create network connections appearing to originate from the phone when in reality they were controlled by the bot master. While this can cause unexpected charges on the unsuspecting user’s cell phone bill due to high data usage, this functionality is even more problematic if the device is used in private networks such as a corporate intranet or a small business or home office network where it may have access to internal resources. Such resources are often assumed to be “not reachable from the outside” and as such are poorly (or not at all) secured.  DressCode enables the attacker to tunnel into the private network and access its resources.

Extinction

When we realized that the bot net was still thriving,  despite the removal of all DressCode-infected apps from Google Play and the detection by mobile security software, Lookout worked with the domain registrar and the hoster of the command-and-control servers to disable the DressCode infrastructure. While the malware may still linger or even be installed on new devices, it is now rendered harmless.

By monitoring traffic originating from remaining DressCode infections, we recently identified almost 6,000 unique IP addresses in 70 countries still trying to contact the malware infrastructure. But just like the fossilized remains of other highly evolved predators, DressCode has ceased to be a threat.

Heat map of the IP addresses of remaining DressCode malware infections.


Author

Alex Reshetniak,
Senior Security Researcher


Author

Christoph Hebeisen,
Senior Manager, App Security Intelligence