[jpshare]An Android Backdoor called MilkyDoor Infected with More than 200 Apps in Play store which contains Nealy 1 million Downloads .
According to the Trend Macro Report, MilkyDoor’s provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies .
Recent days Android Threats are Rapidly increasing Especially Targeting Google Play Store Apps.While MilkyDoor seems, by all accounts, to be DressCode’s successor, MilkyDoor includes a couple of malicious traps of its own.
MilkyDoor Backdoor Basically forward by SSH Tunnel for through the commonly used Port 22 For avoid detection and generate Encrypted Payload.
Enterprise Risk with MilkyDoor:
Based on the it’s coded to attack mostly an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.
Mainly Target the Enterprise , particularly in networks that integrate BYOD (Bring Your Own Device) devices.When affected Mobile Device connected to an Enterprise Networks ,its spread the Backdoor and it Makes a greater Risk to Compromised Entire Network .Trend Macro Researchers said ,MilkyDoor can secretively concede attackers direct access of a venture’s enterprise—from web and FTP to SMTP in the internal system.
MilkyDoor Backdoor Infected “Hairstyles step by step” (Source : Trend Macro)
MilkyDoor Structure and Infecting Concept:
A process called “android.process.s” Hide itself when its running with Android system package.
According to Trend Macro Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude).
It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and hostThe structure of the malicious code (Source :Trend Macro)
It uses Java Secure Channel (JSch) to establish the SSH tunnel between the infected device and the attacker.
MilkyDoor use the SOCKS convention and remote port sending by means of SSH to accomplish dynamic port forwarding, which thusly enables information to cross to every remote destinations and ports.
Since the SSH burrow utilizes Port 22, firewalls more often than do not block traffic that experience this port; this empowers information encryption of payloads transmitted over a system association.Attackers to bypass firewall to breach internal servers
According to Trend Macro Tracking Report , Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.