200 Unique Android Apps Discovered with Backdoor Called “MilkyDoor” Downloaded by Nearly 1 Million Users – An Enterprise Risk

[jpshare]An Android Backdoor called  MilkyDoor Infected with More than 200 Apps in Play store  which contains Nealy 1 million Downloads .

According to the Trend Macro Report, MilkyDoor’s  provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies .

Recent days Android Threats are Rapidly increasing  Especially Targeting Google Play Store Apps.While MilkyDoor seems, by all accounts, to be DressCode’s successor, MilkyDoor includes a couple of malicious traps of its own.

MilkyDoor Backdoor Basically forward by SSH Tunnel for  through the commonly used Port 22 For avoid detection and generate Encrypted Payload.

Enterprise Risk with MilkyDoor:

Based on the  it’s coded to attack mostly an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.

Mainly Target the Enterprise , particularly in networks that integrate BYOD (Bring Your Own Device) devices.When affected Mobile Device connected to an Enterprise Networks ,its spread the Backdoor and it Makes a greater Risk to Compromised Entire Network .

Trend Macro Researchers  said ,MilkyDoor can secretively concede attackers direct access of a venture’s enterprise—from web and FTP to SMTP in the internal system.

MilkyDoor Backdoor Infected  “Hairstyles step by step” (Source : Trend Macro)

MilkyDoor Structure and Infecting Concept:

A process called “android.process.s” Hide itself when its running with Android system package.

According  to Trend Macro Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude).

It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host

The structure of the malicious code (Source :Trend Macro)

It uses Java Secure Channel (JSch) to establish the SSH tunnel between the infected device and the attacker.

MilkyDoor use the SOCKS convention and remote port sending by means of SSH to accomplish dynamic port forwarding, which thusly enables information to cross to every remote destinations and ports.

Since the SSH burrow utilizes Port 22, firewalls more often than do not block traffic that experience this port; this empowers information encryption of payloads transmitted over a system association.

Attackers to bypass firewall to breach internal servers

According to  Trend Macro Tracking  Report , Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.

Also Read:

• These Google Play Apps are Steal your Instagram Credential -Beware
• Many New Apps Injected with Banking Malware found in Google Play Store
• 87 fake Minecraft mods reached up to 990,000 Android users spotted on Google Play Store