The Merkle

DressCode Android Botnet Remains Active 16 Months After Its Discovery

Botnets have proven to be a major pain in the rear for both security researchers and consumers. DressCode, one of the oldest Android botnets in existence, is still operational 16 months after it was initially discovered. This is a very real problem, as the malware opens a direct connection to infected phones. It is unclear why this solution still thrives in 2018, especially considering that most of the infected Google Play apps were removed over a year ago.

DressCode Botnet is Still a Problem

In the world of internet security, there are still plenty of things which need to change sooner rather than later. One of the main priorities is finding a way to eliminate botnets once and for all. The concept of a botnet is nothing new, as a large number of enslaved computers have become gateways for criminal activity ever since the Internet gained mainstream traction. Most victims don’t even know they are part of a botnet, let alone what they can do about it.

Android users may recall a botnet known as DressCode. It was first discovered back in 2016. At that time, the botnet mainly infected Android phones with a listening port which could be used to steal sensitive information. The malware was mainly distributed through Google Play apps, and over 400 such applications were promptly removed. One would expect that to have been the final straw for the DressCode botnet, but the reality is very different, unfortunately.

Indeed, recent evidence shows the DressCode botnet is still active in 2018. In fact, it seems to have grown in popularity and scale, which is extremely worrying. A total of four million Android devices may have become part of this growing botnet, mainly smartphones. It is certainly possible that Android tablets are also a part of this network, although we will need further research before drawing any conclusions on this front.

DressCode’s method of attack hasn’t changed in those 16 months either. The malware still creates open ports on infected devices, creating a direct connection between the attackers and their victims. As a result, the assailants can infiltrate home and company networks to steal sensitive information. Additionally, this is not a vulnerability which only the developers of DressCode can take advantage of. The unencrypted interface used to connect to infected Android devices can be used by anyone else who knows where to look.

While some people may think their firewall will be able to halt such infiltration attempts, that is not the case. That’s because the DressCode botnet bypasses any and all firewalls found in home and SMB routers alike. Once the connection between the server and a victim is open, anyone with control over the server can tunnel through the mobile device. It is unclear what the full consequences of such connections may be, but rest assured hackers will do their best to wreak as much havoc as possible.

For the time being, it is unclear how DressCode is being used exactly or who is making use of it these days. Knowing that this botnet is still active and growing in size since its initial discovery is by far one of the biggest security scares of 2018. It seems impossible to take down this botnet altogether, as the central server and two of its public APIs are still active. Whether or not that situation will change remains to be determined. We can only hope security researchers can put an end to DressCode sooner rather than later.