Friday, November 1, 2024
HomeBackdoor200 Unique Android Apps Discovered with Backdoor Called "MilkyDoor" Downloaded by...

200 Unique Android Apps Discovered with Backdoor Called “MilkyDoor” Downloaded by Nearly 1 Million Users – An Enterprise Risk

Published on

Malware protection

[jpshare]An Android Backdoor called  MilkyDoor Infected with More than 200 Apps in Play store  which contains Nealy 1 million Downloads .

According to the Trend Macro Report, MilkyDoor’s  provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies .

Recent days Android Threats are Rapidly increasing  Especially Targeting Google Play Store Apps.While MilkyDoor seems, by all accounts, to be DressCode’s successor, MilkyDoor includes a couple of malicious traps of its own.

- Advertisement - SIEM as a Service

MilkyDoor Backdoor Basically forward by SSH Tunnel for  through the commonly used Port 22 For avoid detection and generate Encrypted Payload.

Enterprise Risk with MilkyDoor:

Based on the  it’s coded to attack mostly an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.

Mainly Target the Enterprise , particularly in networks that integrate BYOD (Bring Your Own Device) devices.When affected Mobile Device connected to an Enterprise Networks ,its spread the Backdoor and it Makes a greater Risk to Compromised Entire Network .

Trend Macro Researchers  said ,MilkyDoor can secretively concede attackers direct access of a venture’s enterprise—from web and FTP to SMTP in the internal system.

MilkyDoor Backdoor Infected  “Hairstyles step by step” (Source : Trend Macro)

MilkyDoor Structure and Infecting Concept:

A process called android.process.s” Hide itself when its running with Android system package.

According  to Trend Macro Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude).

It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host

The structure of the malicious code (Source :Trend Macro)

It uses Java Secure Channel (JSch) to establish the SSH tunnel between the infected device and the attacker.

MilkyDoor use the SOCKS convention and remote port sending by means of SSH to accomplish dynamic port forwarding, which thusly enables information to cross to every remote destinations and ports.

Since the SSH burrow utilizes Port 22, firewalls more often than do not block traffic that experience this port; this empowers information encryption of payloads transmitted over a system association.

Attackers to bypass firewall to breach internal servers

According to  Trend Macro Tracking  Report , Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.

Also Read:

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....